Add OWASP ZAP baseline scan workflow

[murderteeth]

Summary

Adds a GitHub Actions workflow that runs an OWASP ZAP baseline scan against the site. ZAP is an open-source web security scanner maintained by OWASP — the baseline scan passively crawls the target and checks for common security issues like missing headers (CSP, clickjacking, HSTS), insecure cookies, information leaks, mixed content, and other OWASP Top 10 surface-level findings. Running it regularly helps catch security regressions before they hit production, without needing a full pentest.

Runs weekly on Monday mornings and can be triggered manually via workflow_dispatch. Includes .gitignore entries for local scan artifacts and a README section on running the scan locally with act.

How to review

• zap-baseline.yml is the whole workflow — 26 lines
• .gitignore and README.md changes are supporting housekeeping

Test plan

• Ran locally via act workflow_dispatch — scan completed with 57 passes, 10 info-level warnings, 0 failures

Risk / impact

None — passive scan only, no effect on existing CI or deployments.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
yearnfi	Ready	Preview, Comment	Mar 30, 2026 3:35am

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA c86c989.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/zap-baseline.yml

Package	Version	License	Issue Type
actions/upload-artifact	4.*.*	Null	Unknown License

Allowed Licenses:

MIT, Apache-2.0, BSD-3-Clause, BSD-2-Clause, ISC, CC0-1.0, CC-BY-3.0, CC-BY-4.0, Unlicense

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/upload-artifact	4.*.*	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/zaproxy/action-baseline	0.14.0	🟢 5.5	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Fuzzing ⚠️ 0 project is not fuzzed Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/zap-baseline.yml