How to set threshold to fail the build in Gitlab CI/CD Pipeline

[Gopal Jee]

Hi ,

I have integraded ZAP in gitlab CI/CD pipeline and its scanning target URL.

Now i'm getting 3 WARN!

I want to fail the build if there is any single WARN in the scan result.

 Please help how to set the threshold to fail the build in Gitlab CI/CD Pipeline  based on ZAP-Full SCAN result

regards

Gopal

[psiinon]

Hi Gopal,

The full scan will exit with the a code as per https://github.com/zaproxy/zaproxy/blob/main/docker/zap-full-scan.py#L31-L35

How you get the Gitlab pipeline to fail is a Gitlab issue - presumably their docs should cover this?

Cheers,

Simon

[Gopal Jee]

Hi Simon,

thank you for your quick response!

So in zap-full-scan.py, do I need to enable code exit conditions and set the threshold?

also, should I need to push this file in the docker image once gets modified?

I'm very new to CI/CD automation so asking these basic questions.

@ Group Member, if someone has done please help. 

regards

Gopal

[psiinon]

Hi Gopal,

Well, the scan will always set the exit code, so you dont need to enable that.

You will need to make the file available either in your docker image or via a URL it has access to.

We have set the baseline and full packaged scans to run against zaproxy.org. And documented it of course :)

See:

• https://www.zaproxy.org/blog/2020-04-09-automate-security-testing-with-zap-and-github-actions/
• https://www.zaproxy.org/blog/2020-05-15-dynamic-application-security-testing-with-zap-and-github-actions/

Cheers,

Simon

[Gopal Jee]

Hi Simon 

this is how I'm doing, with this I'm getting some FAIL which I have configured in "Custom_rules.conf"

Now I want to fail this JOB as there are Alerts.  For that, I supposed to add "fail_action" which I'm not getting how to add! if you see any correction in script please help

Build-DAST-Analysis:

  image: owasp/zap2docker-stable:latest

  stage: Build-DAST-Analysis

  before_script:

  - mkdir /zap/wrk/

  - pwd

  - cp Custom_rules.conf /zap/wrk/

  script:

  - "/zap/zap-full-scan.py -r zap_report.html -t $Target_URL -c Custom_rules.conf ||true

  - cp /zap/wrk/zap_report.html .

  artifacts:

    paths:

    - zap_report.html

  tags:

  - Docker

regards 

Gopal

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/b200aa27-c9d1-4165-a2fa-fd17d9f9b6b1n%40googlegroups.com.

--

Thank's & Regards
-----------------------------
Gopal Jee Mishra

Information Security Specialist
C|EHv7, PGD(Information Security), B.E(IT)

Call : +91-7411 581268

Skype: gopaljeemishra, tweets@ gopaljeemishra

[kingthorin+owaspzap]

"fail_action" has nothing to do with ZAP, that's a Gitlab condition, you'd have to follow-up with support or their docs.

[Gopal Jee]

Hi,

I'm not getting,  when I have alerts in zap full scan result , what I have to include to fail the build.

Looks like something basic im missing , If you can help in my code that will be great.

Thanks

Gopal 

You received this message because you are subscribed to a topic in the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-develop/B9TDy-ynihI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/4d64f938-2801-425e-9569-f9f901aae846n%40googlegroups.com.

[kingthorin+owaspzap]

ZAP is not a build system. How/when you fail your build is on the build system not on ZAP.

ZAP provides exit codes as already outlined/discussed how your build responds to those is outside ZAP's control.