Add ZAP for dynamic analysis

[ehaldane-digicatapult]

Pull Request

Checklist

• Have you read Digital Catapult's Code of Conduct?
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• My changes generate no new warnings.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.

PR Type

• Feature
• Documentation Update

High level description

This PR is to add a Zed Attack Proxy (ZAP) callee matrix workflow to the collection. ZAP used to be an OWASP project, but the developers ultimately moved over to Checkmarx a few years back. Like PortSwigger's Burp Suite, ZAP is essentially a spider/crawler, fuzzer, proxy server capable of MITM-style attacks or interceptions, and automated scanner all rolled into one. It's most useful in catching exploitable vulnerabilities in web applications.

Example artefacts:

[zap_scan-api](https://github.com/digicatapult/hello-world/actions/runs/27962664441/artifacts/7796383101)
[zap_scan-baseline](https://github.com/digicatapult/hello-world/actions/runs/27962664441/artifacts/7796393718)
[zap_scan-full](https://github.com/digicatapult/hello-world/actions/runs/27962664441/artifacts/7796401387)

Example findings:

WARN-NEW: Missing Anti-clickjacking Header [10020] x 2 
	http://localhost:3000/ (200 OK)
	http://localhost:3000 (200 OK)
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 2 
	http://localhost:3000/ (200 OK)
	http://localhost:3000 (200 OK)
WARN-NEW: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] x 4 
	http://localhost:3000/ (200 OK)
	http://localhost:3000 (200 OK)
	http://localhost:3000/sitemap.xml (404 Not Found)
	http://localhost:3000/robots.txt (404 Not Found)
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 2 
	http://localhost:3000/ (200 OK)
	http://localhost:3000 (200 OK)
WARN-NEW: CSP: Failure to Define Directive with No Fallback [10055] x 2 
	http://localhost:3000/sitemap.xml (404 Not Found)
	http://localhost:3000/robots.txt (404 Not Found)
WARN-NEW: Permissions Policy Header Not Set [10063] x 4 
	http://localhost:3000/ (200 OK)
	http://localhost:3000 (200 OK)
	http://localhost:3000/sitemap.xml (404 Not Found)
	http://localhost:3000/robots.txt (404 Not Found)
WARN-NEW: Cross-Origin-Resource-Policy Header Missing or Invalid [90004] x 6 
	http://localhost:3000/ (200 OK)
	http://localhost:3000/ (200 OK)
	http://localhost:3000/ (200 OK)
	http://localhost:3000 (200 OK)
	http://localhost:3000 (200 OK)
FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 7	WARN-INPROG: 0	INFO: 0	IGNORE: 0	PASS: 142

Linked tickets

ENG-300

[Copilot]

Pull request overview

Adds a reusable GitHub Actions “ZAP Scan” workflow to this shared-workflows repo, plus accompanying documentation and caller examples, so downstream repositories can run OWASP ZAP DAST scans (baseline/full/api/automation framework) via workflow_call.

Changes:

• Introduces .github/workflows/scan-zap.yml reusable workflow with a scan-type matrix and configurable app start/wait behavior.
• Documents the new workflow in README.md, including inputs/permissions and a step-by-step description.
• Adds examples/scan-zap.md with common caller configurations.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/scan-zap.yml	New reusable workflow to run ZAP scans (matrix-driven) against a target URL / automation plan.
README.md	Adds ZAP Scan workflow documentation (inputs, permissions, workflow steps).
examples/scan-zap.md	Adds caller examples demonstrating typical configurations for the new workflow.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.