From bd348671e9b9747fc8114216f20ece6a4caf62db Mon Sep 17 00:00:00 2001
From: thc202 <thc202@gmail.com>
Date: Fri, 24 May 2024 10:38:51 +0100
Subject: [PATCH] Allow to specify env vars for use in the plan

Add input `docker_env_vars` to allow to specify which env vars should
be passed to the Docker container to be used by the plan.

Signed-off-by: thc202 <thc202@gmail.com>
---
 .github/workflows/check-run.yml            | 10 ++++++++++
 .github/workflows/zap/af-plan-env-vars.yml | 14 ++++++++++++++
 CHANGELOG.md                               |  2 ++
 README.md                                  | 15 +++++++++++++--
 action.yml                                 |  4 ++++
 index.js                                   |  3 ++-
 6 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/zap/af-plan-env-vars.yml

diff --git a/.github/workflows/check-run.yml b/.github/workflows/check-run.yml
index fc98a5b..36743e5 100644
--- a/.github/workflows/check-run.yml
+++ b/.github/workflows/check-run.yml
@@ -23,6 +23,16 @@ jobs:
       with:
         plan: '.github/workflows/zap/af-plan.yml'
 
+    - name: ZAP Plan Env Vars
+      uses: ./
+      id: af-plan-env-vars
+      env:
+        TARGET_URL: "http://localhost/"
+      with:
+        plan: '.github/workflows/zap/af-plan-env-vars.yml'
+        docker_env_vars: |
+          TARGET_URL
+
     - name: ZAP Plan with Error
       continue-on-error: true
       uses: ./
diff --git a/.github/workflows/zap/af-plan-env-vars.yml b/.github/workflows/zap/af-plan-env-vars.yml
new file mode 100644
index 0000000..34ebad2
--- /dev/null
+++ b/.github/workflows/zap/af-plan-env-vars.yml
@@ -0,0 +1,14 @@
+---
+env:
+  contexts:
+  - name: "Context"
+    urls:
+    - TARGET_URL
+  parameters:
+    failOnError: true
+    failOnWarning: true
+    progressToStdout: true
+jobs:
+- requests:
+  - url: TARGET_URL
+  type: "requestor"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index ec36310..118a263 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,8 @@ All notable changes to this GitHub action will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
+### Added
+ - Allow to specify the environment variables that should be passed to the Docker container to be used by the Automation Framework plan.
 
 ## [0.1.0] - 2024-04-23
 ### Added
diff --git a/README.md b/README.md
index a986905..517721a 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,17 @@ A GitHub Action for running [ZAP Automation Framework](https://www.zaproxy.org/d
 
 **Optional** if specified must not be empty. The name of the [ZAP Docker image](https://www.zaproxy.org/docs/docker/about/#install-instructions) to be used. By default the action runs the stable image.
 
+### `docker_env_vars`
+
+**Optional** The names of the environment variables that should be passed to the Docker container for use in the plan, e.g.:
+```yaml
+docker_env_vars: |
+  MY_TARGET_URL
+  MY_USER_NAME
+  MY_USER_PASSWORD
+```
+See also [Environment variables](#environment-variables).
+
 ### `cmd_options`
 
 **Optional** Additional [command line options](https://www.zaproxy.org/docs/desktop/cmdline/) for ZAP.
@@ -26,7 +37,7 @@ Files created with the plan that need to be used after the plan has finished sho
 ## Environment variables
 
 If set, the following [ZAP authentication environment variables](https://www.zaproxy.org/docs/authentication/handling-auth-yourself/#authentication-env-vars)
-will be copied into the docker container:
+will be copied into the Docker container:
 
 - `ZAP_AUTH_HEADER_VALUE`
 - `ZAP_AUTH_HEADER`
@@ -34,7 +45,7 @@ will be copied into the docker container:
 
 ## Example usage
 
-```
+```yaml
 steps:
   - name: ZAP Scan
     uses: zaproxy/action-af@v0.1.0
diff --git a/action.yml b/action.yml
index 3058cb1..37b6e6f 100644
--- a/action.yml
+++ b/action.yml
@@ -11,6 +11,10 @@ inputs:
     description: 'The Docker image to be used.'
     required: true
     default: 'ghcr.io/zaproxy/zaproxy:stable'
+  docker_env_vars:
+    description: 'The env vars that should be passed to the Docker container running ZAP.'
+    required: false
+    default: ''
   cmd_options:
     description: 'Additional command line options to start ZAP with.'
     required: false
diff --git a/index.js b/index.js
index 746cfeb..7e83871 100644
--- a/index.js
+++ b/index.js
@@ -6,13 +6,14 @@ async function run() {
     try {
         let workspace = process.env.GITHUB_WORKSPACE;
         let docker_name = core.getInput('docker_name', { required: true });
+        let dockerEnvVars = ["ZAP_AUTH_HEADER", "ZAP_AUTH_HEADER_VALUE", "ZAP_AUTH_HEADER_SITE"].concat(core.getMultiline('docker_env_vars', { required: false })).map(e => `-e ${e}`).join(' ');
         let plan = core.getInput('plan', { required: true });
         let cmdOptions = core.getInput('cmd_options');
 
         await exec.exec(`chmod a+w ${workspace}`);
 
         await exec.exec(`docker pull ${docker_name} -q`);
-        let command = (`docker run -v ${workspace}:/zap/wrk/:rw --network="host" -e ZAP_AUTH_HEADER -e ZAP_AUTH_HEADER_VALUE -e ZAP_AUTH_HEADER_SITE  -t ${docker_name} zap.sh -cmd -autorun /zap/wrk/${plan} ${cmdOptions}`);
+        let command = (`docker run -v ${workspace}:/zap/wrk/:rw --network="host" ${dockerEnvVars} -t ${docker_name} zap.sh -cmd -autorun /zap/wrk/${plan} ${cmdOptions}`);
 
         try {
             await exec.exec(command);