fix(ci): correct ZAP baseline report filename to avoid upload failure#3246
fix(ci): correct ZAP baseline report filename to avoid upload failure#3246arkid15r merged 9 commits intoOWASP:mainfrom
Conversation
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings. WalkthroughChange ZAP baseline scan report filename references in CI workflow: update Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/workflows/run-ci-cd.yaml:
- Line 616: Two occurrences of the checkout step were changed to
actions/checkout@v4 breaking consistency with the rest of the workflow; revert
those uses back to the pinned SHA
actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 so all checkout steps
match the pinned version, and add a brief PR note clarifying whether the switch
to @v4 was intentional or accidental since this change is unrelated to the ZAP
report upload fix.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/run-ci-cd.yaml
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-12-21T19:03:59.068Z
Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.
Applied to files:
.github/workflows/run-ci-cd.yaml
🔇 Additional comments (2)
.github/workflows/run-ci-cd.yaml (2)
625-625: LGTM! Correctly removes the custom report filename override.The removal of
-r report.htmlfromcmd_optionsallows the ZAP baseline scan to use its default report naming convention, which should resolve the filename mismatch issue described in #3239. The change is consistently applied to both staging and production ZAP scan jobs.Also applies to: 963-963
606-626: The concern raised in this review comment is not supported by how thezaproxy/action-baselineaction actually works.The
zaproxy/action-baselineaction automatically uploads ZAP scan reports as workflow artifacts by default (with artifact_name = "zap_scan"). There is no need for a separate explicit "Upload report" step in the workflow. The action itself handles artifact upload via the GitHub Artifacts API internally.The current workflow configuration at lines 606-626 (staging) and 944-963 (production) is correct: it relies on the action's built-in upload capability rather than requiring a separate upload step. The absence of an explicit upload step does not mean reports aren't being uploaded—they are, via the action's default behavior.
The contradiction perceived between the AI summary mentioning a "deleted Upload report step" and the PR description stating "HTML report is uploaded successfully" does not actually exist. The PR description is accurate: reports are uploaded by the action itself, not by a separate workflow step.
Likely an incorrect or invalid review comment.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
.github/workflows/run-ci-cd.yaml (2)
941-941: Remove trailing whitespace.Line 941 has trailing whitespace that appears unrelated to the ZAP scan fix.
🧹 Proposed fix
- name: Run proxy deploy working-directory: .github/ansible run: ansible-playbook -i inventory.yaml production/proxy.yaml -e "github_workspace=$GITHUB_WORKSPACE" - +
949-949: Remove unnecessary blank line.The blank line at line 949 appears to be an unintentional formatting change unrelated to the fix.
🧹 Proposed fix
runs-on: ubuntu-latest - steps:
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
.github/workflows/run-ci-cd.yaml
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-12-21T19:03:59.068Z
Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.
Applied to files:
.github/workflows/run-ci-cd.yaml
🔇 Additional comments (2)
.github/workflows/run-ci-cd.yaml (2)
954-961: Consistency with staging configuration looks good.The production ZAP baseline scan uses the same
cmd_optionsas the staging scan (line 624), which ensures consistent security scanning across environments. The same verification concerns apply regarding the.zapconfigfile existence and the correctness of the command options.
617-624: Configuration and options are correct. The.zapconfigfile exists in the repository root with properly formatted ZAP baseline scan configuration (rule ID mappings to IGNORE/FAIL actions). The command options-a(include alpha passive scan rules) and-c .zapconfig(apply custom configuration) are both documented options for zaproxy/action-baseline and are appropriately used here.
|
You must use the PR template we have. |
|
You didn't run the required code quality checks. Your future issue assignment requests will be de-prioritized. |
|
Please let me know if anything else needs adjustment. |
| name: zap-baseline-scan-report-${{ github.run_id }} | ||
| path: report.html | ||
|
|
||
| path: report_html.html |
There was a problem hiding this comment.
So your code just renamed the report file. Why do you think it'll work now if it didn't work for the same approach with just a different name?
There was a problem hiding this comment.
Previously, I removed the report file generation step because I initially thought that was causing the issue.
This time, I addressed the actual root cause by properly renaming and aligning the report filename, which was mismatched between the ZAP generation step and the artifact upload step and was causing the failure.
|
…OWASP#3246) * fix(ci): correct ZAP baseline report filename to avoid upload failure * fix(ci): correct ZAP baseline report filename to avoid upload failure * Update code * fix(ci): correct ZAP baseline report filename to avoid upload failure * Update code --------- Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org> Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com>
2 participants
Proposed change
Resolves #3239
This PR fixes the ZAP baseline GitHub Actions workflow by ensuring the generated HTML report filename matches the filename expected during artifact upload.
Previously, the workflow overrode the default report filename via cmd_options, which caused a mismatch and resulted in a file-not-found error during the upload step. This change aligns the ZAP scan output and artifact upload path so the report is generated and uploaded correctly for both staging and production scans.
Checklist