OWASP-ZAP: Take job artifacts and upload to security tab

[asteel-gsa]

ZAP Scans, since using the Github Action, now generate artifacts in html, md and json formatting. Attempting to follow ZAP Automation, specifically automation framework and Reports addon that handles sarif formatting, I have been unable to get the .sarif necessary to upload to the security tab. Sending this piece into backlog, as we have three different reports now that detail ZAP scans.

./zap.sh -addonupdate\
    -addoninstall reports \
    -cmd -autorun zap.yaml 

      # - name: Run OWASP-ZAP
      #   run: docker run -v $(pwd):/zap/wrk/:rw --user root -t owasp/zap2docker-stable zap-baseline.py -t https://fac-dev.app.cloud.gov/ -c zap.conf zap.sh -cmd -addonupdate; zap.sh -addonupdate -addoninstall reports -cmd -autorun ./zap.yaml -I

      # - name: Upload ZAP scan results to GitHub Security tab
      #   uses: github/codeql-action/upload-sarif@v2
      #   with:
      #     sarif_file: '/zap/wrk/zap-report.sarif'

# zap.yaml

  - type: report
    parameters:
      template: sarif-json
      reportDir: /zap/wrk/
      reportFile: zap-report.sarif
      reportTitle: Zap Scan
      displayReport: true
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
      - falsepositive
    sections: all
    sites:
      - https://fac-dev.app.cloud.gov
      - https://fac-staging.app.cloud.gov
      - https://app.fac.gov

[asteel-gsa]

#1397 (comment)