CircleCI false-negative on ZAP baseline checks

[serain]

The .zap-baseline.conf ZAP configuration file is using some spaces in lieu of tabs. ZAP can only parse config files using tabs to separate columns. Parsing this configuration file will fail with an exit code of 3.

The CircleCI config will return 0 for any code other than 1:

      - run:
          # run zap baseline against the server
          # Only fail on error code 1, which indicates at least one FAIL was found.
          # error codes 2 & 3 indicate WARN or other, and should not break the run
          name: Run OWASP ZAP Baseline
          shell: /bin/bash
          command: |
            docker pull owasp/zap2docker-weekly
            (
              ip="$(ip -f inet -o addr show docker0 | awk '{print $4}' | cut -d '/' -f 1)" &&
              docker run -t owasp/zap2docker-weekly zap-baseline.py \
                  -t http://${ip}:10080 \
                  -u https://raw.githubusercontent.com/mozilla-services/screenshots/master/.zap-baseline.conf;
              if [ $? -ne 1 ]; then exit 0; else exit 1; fi;
            )

I suspect the CircleCI pipeline is failing silently on ZAP check.