2021 ZAP Automation in CI/CD
0 likes455 views
The document discusses the ZAP (Zed Attack Proxy), a widely used open-source tool for identifying vulnerabilities in web applications, aimed at developers, testers, and security professionals. It outlines various automation options for integrating ZAP into CI/CD processes, such as through command line, Jenkins, GitHub Actions, and a new automation framework work in progress. Key components of the automation process and configuration are also highlighted to facilitate setting up ZAP for effective security testing.
2021 ZAP Automation in CI/CD
- 1. ZAP Automation in CI/CD Simon Bennetts ZAP Project Lead StackHawk Inc 2021 February 9
- 2. This Talk ● ZAP Overview ● Automation Options ● The Automation Process ● ZAP Configuration ● Automation Framework WIP
- 3. What is ZAP? ● A tool for finding vulnerabilities in web applications ● An OWASP Flagship Project ● Free and Open Source ● Cross platform ● Well maintained ● Probably the worlds most frequently used web scanner!
- 4. Who is ZAP For? ● Developers and functional testers (QA) ● Students ● Security Professionals
- 5. ZAPCon! March 9 2021 https://zapcon.io
- 6. Automation Options ● Command Line ● Jenkins Plugin ● Packaged Scans ● Github Actions ● Daemon + API
- 7. Command Line Quick Scan ● ./zap.sh -quickurl http://localhost:8080/bodgeit/ -quickprogress -cmd
- 8. Jenkins Plugin – no longer supported :(
- 9. Packaged Scans ● https://www.zaproxy.org/docs/docker/ ● Baseline Scan ● Full Scan ● API Scan ● Scan hooks
- 12. Automation Process ● What tests do you want to run? ● Test locally - manually first! ● Test locally - automated next ● Where should the results go to? ● Authentication is a pain!
- 13. ZAP Configuration ● Default directory – config.xml – contexts/ – policies/ – scripts/ – plugin/
- 14. New ZAP Automation Framework WIP! env: contexts: - name: bodgeit url: http://localhost:8080/bodgeit/ # The top level url includePaths: # An optional list of regexes to include excludePaths: # An optional list of regexes to exclude - 'http://localhost:8080/bodgeit/logout' authentication: # TBA - in time to cover all auth configs parameters: failOnError: true failOnWarning: false progressToStdout: true
- 15. New ZAP Automation Framework WIP! jobs: - type: addOns # Any non standard add-ons to install parameters: updateAddOns: false # Default: true install: - type: passiveScan-config # The passive scanner jobs parameters: maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule rules: # Can be used to override default settings - id: 2 desc: Private IP Disclosure # Not used - just for documentation threshold: high
- 16. New ZAP Automation Framework WIP! - type: spider # The traditional spider parameters: warnIfFoundUrlsLessThan: 50 failIfFoundUrlsLessThan: 20 maxDuration: 2 # - type: activeScan # The active scanner rules: # Can be used to override default settings - id: 0 desc: Directory Browsing # Not used - just for documentation strength: high risk: high # Will create an alert filter to change the risk