Merge pull request #7 from psiinon/main

Use default user instead of root

Author: kingthorin

CHANGELOG.md

@@ -4,11 +4,14 @@ All notable changes to this GitHub action will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## [Unreleased]
+## [0.1.1] - 2022-05-23
+
+### Fixed
+- Use default zap user rather than root.
 
 ## [0.1.0] - 2021-09-14
 
 First release to Marketplace.
 
-[Unreleased]: https://github.com/zaproxy/action-api-scan/compare/v0.1.0...HEAD
+[0.1.1]: https://github.com/zaproxy/action-api-scan/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/zaproxy/action-api-scan/compare/12a34c296c603f7505336a7fc750363fa978d93e...v0.1.0

README.md

@@ -64,7 +64,7 @@ if it identifies any alerts. Set this option to `true` if you want to fail the s
 ```
 steps:
   - name: ZAP Scan
-    uses: zaproxy/[email protected].0
+    uses: zaproxy/[email protected].1
     with:
       target: 'https://www.zaproxy.org/'
 ```
@@ -85,7 +85,7 @@ jobs:
           ref: master
 
       - name: ZAP Scan
-        uses: zaproxy/[email protected].0
+        uses: zaproxy/[email protected].1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'owasp/zap2docker-stable'

dist/index.js

@@ -3827,8 +3827,12 @@ async function run() {
             plugins = await common.helper.processLineByLine(`${workspace}/${rulesFileLocation}`);
         }
 
+        // Create the files so we can change the perms and allow the docker non root user to update them
+        await exec.exec(`touch ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+        await exec.exec(`chmod a+w ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+
         await exec.exec(`docker pull ${docker_name} -q`);
-        let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
+        let command = (`docker run -v ${workspace}:/zap/wrk/:rw --network="host" ` +
             `-t ${docker_name} zap-api-scan.py -t ${target} -f ${format} -J ${jsonReportName} -w ${mdReportName}  -r ${htmlReportName} ${cmdOptions}`);
 
         if (plugins.length !== 0) {

index.js

@@ -40,8 +40,12 @@ async function run() {
             plugins = await common.helper.processLineByLine(`${workspace}/${rulesFileLocation}`);
         }
 
+        // Create the files so we can change the perms and allow the docker non root user to update them
+        await exec.exec(`touch ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+        await exec.exec(`chmod a+w ${jsonReportName} ${mdReportName} ${htmlReportName}`);
+
         await exec.exec(`docker pull ${docker_name} -q`);
-        let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
+        let command = (`docker run -v ${workspace}:/zap/wrk/:rw --network="host" ` +
             `-t ${docker_name} zap-api-scan.py -t ${target} -f ${format} -J ${jsonReportName} -w ${mdReportName}  -r ${htmlReportName} ${cmdOptions}`);
 
         if (plugins.length !== 0) {