GitHub Actions

Prerequisites

Before you begin, ensure the following:

• Your target application is verified on ZeroThreat.
• You’re familiar with the basics of GitHub Actions.
• Your GitHub repository has workflows enabled.

Step 1. Enable GitHub Actions Integration in ZeroThreat

1. Navigate to the Targets ()section in ZeroThreat.
2. Click on the "Continuous Integration" button () for your desired target.

3. In the CI/CD settings drawer, click "Add GitHub Actions Integration" and confirm.

Once confirmed, a unique ZT_Token will be generated. This token is used to start scans CI/CD for its associated target from the Ci/CD.

Step 2: Choose Scan Settings

1. Select or create a Scan Profile suitable for your environment.

2. If you're scanning authenticated sections of your app, select the appropriate Login Template for authenticated scans.

3. Click on the GitHub Actions icon in ZeroThreat to open the GitHub Actions Marketplace, where you’ll find the official ZeroThreat AI DAST Scanner from Marketplace.

Step 3: Setup GitHub Actions Workflow

1. Open your target's GitHub repository.
2. Navigate to the Actions tab ().
3. Click "New Workflow" () and select "Simple Workflow" as your starting template.

4. Name your workflow file (e.g., .github/workflows/scan.yml).

Step 4: Configure the Workflow File

Use the following example as a starting point for your workflow configuration. In this guide, for example purposes we're using the workflow_dispatch trigger, which allows you to manually initiate the workflow from the GitHub interface. However, you're free to replace this with any other trigger supported by GitHub Actions, such as push, pull_request, or scheduled events, depending on your automation needs.

name: ZeroThreat Vulnerability Scan Action

on:
  workflow_dispatch:
  
permissions:
  contents: read
  issues: write
  pull-requests: write
  
jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4

    - name: Run Custom Action for Vulnerability Scan
      uses: zerothreatai/github-action@0.0.3
      with:
        ZT_TOKEN: ${{ secrets.ZT_TOKEN }}
        WAIT_FOR_ANALYSIS: true

Understanding WAIT_FOR_ANALYSIS Input:

• true – The GitHub Action will wait for scan completion by polling every 5 minutes and the pipeline will keep running.
• false (default) – The scan is triggered and the workflow ends immediately.

Step 5: Add ZT_TOKEN as GitHub Secret (optional)

It is recommended and advised to use the ZT_TOKEN as Github Secret and avoid hardcoding or exposing it.

1. Go to your GitHub repository settings ().
2. Navigate to Security > Secrets and Variables > Actions.

3. Click “New repository secret”.

3. Name it ZT_TOKEN and paste the value generated from ZeroThreat and click "Add Secret".

Step 6: Run the workflow

Since this example uses workflow_dispatch, you can manually start a scan:

1. Go to the Actions()tab in your GitHub repository.
2. Select your new workflow.
3. Click "Run Workflow".

The workflow will begin and a scan will be triggered in ZeroThreat portal.

Automating with Push or Pull Requests

To automate scans on every code change, you can replace the on: block in the workflow with:

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

This will trigger ZeroThreat scans automatically for pushes or pull requests to the main branch.

Troubleshooting

Finished setting up your CI/CD integration?
Head over to our guide on Reviewing Scan Reports to learn and analyze different sections of the scan report.