bench: add petclinic conventional dast baseline

.github/workflows/zap-api-scan.yml

@@ -0,0 +1,63 @@
+name: OWASP ZAP API Scan
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  zap-api-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Build application
+        run: ./mvnw -B -DskipTests package
+
+      - name: Start Petclinic API
+        run: |
+          nohup java -jar target/*.jar > petclinic.log 2>&1 &
+
+      - name: Wait for API availability
+        run: |
+          timeout=90
+          until curl -fsS http://localhost:9966/petclinic/actuator/health > /dev/null; do
+            echo "Waiting for Petclinic API..."
+            sleep 2
+            timeout=$((timeout - 2))
+            if [ "$timeout" -le 0 ]; then
+              echo "Petclinic API did not become ready in time."
+              echo "Application log follows:"
+              cat petclinic.log || true
+              exit 1
+            fi
+          done
+          curl -fsS http://localhost:9966/petclinic/v3/api-docs > /dev/null
+
+      - name: Run OWASP ZAP API Scan
+        uses: zaproxy/action-api-scan@v0.10.0
+        with:
+          target: 'http://localhost:9966/petclinic/v3/api-docs'
+          format: openapi
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          cmd_options: '-a'
+          allow_issue_writing: false
+          fail_action: false
+          artifact_name: 'petclinic-t5-zap-api-scan'
+
+      - name: Upload Petclinic log
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: petclinic-t5-app-log
+          path: petclinic.log