Gitlab CI implementation
1,242 views
Skip to first unread message
flocurity
May 22, 2018, 8:56:53 AM5/22/18
to OWASP ZAP Developer Group
Hi @devs,
Long time no see. I'm currently working on a Gitlab-CI implementation of ZAP. My goal is to have something like the .yml file attached to launch ZAP in a pipeline, and make this open source - with your validation.
It'll be like the Jenkins plugin, with multiple options, but for Gitlab CI.
I've been using zap-cli, but it lacks many features which I found mandatory : authentication (forced to load a session with authentication already set), logged in/out indicators, start active scan with an exported policy and many more...
My script looks like a mix of zap-cli and a lot of API call (with curl) to implement what's missing, and even some python snippets for some regexes : it has became ugly and not maintainable. I can't stand my code anymore.
Then I've found Python API, which is complete (thanks to automatic generation !). Is this Python implementation - and will it be - still maintained ? Or is there some better implementation I could work with ?
Thanks for your reading,
Cheers,
F.
Long time no see. I'm currently working on a Gitlab-CI implementation of ZAP. My goal is to have something like the .yml file attached to launch ZAP in a pipeline, and make this open source - with your validation.
It'll be like the Jenkins plugin, with multiple options, but for Gitlab CI.
I've been using zap-cli, but it lacks many features which I found mandatory : authentication (forced to load a session with authentication already set), logged in/out indicators, start active scan with an exported policy and many more...
My script looks like a mix of zap-cli and a lot of API call (with curl) to implement what's missing, and even some python snippets for some regexes : it has became ugly and not maintainable. I can't stand my code anymore.
Then I've found Python API, which is complete (thanks to automatic generation !). Is this Python implementation - and will it be - still maintained ? Or is there some better implementation I could work with ?
Thanks for your reading,
Cheers,
F.
psiinon
May 22, 2018, 9:35:29 AM5/22/18
to OWASP ZAP Developer Group
Hiya,
Yes, the python API is officially maintained by us (as is the java api), now and in the future.
I tend to use the python API whenever I need to automate ZAP, so I think its one of the best options :)
Cheers,
Simon
Yes, the python API is officially maintained by us (as is the java api), now and in the future.
I tend to use the python API whenever I need to automate ZAP, so I think its one of the best options :)
Cheers,
Simon
flocurity
May 22, 2018, 10:11:52 AM5/22/18
to OWASP ZAP Developer Group
Thanks Simon, that's what I thought, I'll use that one :)
Cheers,
F.
psiinon
May 22, 2018, 10:14:06 AM5/22/18
to OWASP ZAP Developer Group
Np.
Oh, and btw - really like the idea of Gitlab-CI -> ZAP integration :)
Let us know if you have any problems implementing it and we'll do our best to help you.
Cheers,
Simon
Oh, and btw - really like the idea of Gitlab-CI -> ZAP integration :)
Let us know if you have any problems implementing it and we'll do our best to help you.
Cheers,
Simon
kingthorin+owaspzap
May 22, 2018, 9:54:25 PM5/22/18
to OWASP ZAP Developer Group
Doesn't gitlab already have ZAP in its CI/CD?
https://about.gitlab.com/2018/01/22/gitlab-10-4-released/#dynamic-application-security-testing-dast
https://docs.gitlab.com/ee/ci/examples/dast.html
flocurity
May 23, 2018, 8:06:44 AM5/23/18
to OWASP ZAP Developer Group
@kingthorin
Yep, Gitlab says you can use zap-baseline.py, but it lacks some features (compared to jenkins plugin and to my needs), like the ability to load a session (previously saved on a local computer, or from selenium/robotframework : better than just spidering IMHO), or use a specific policy.
My company needs those features as almost every project use ZAP this way with Jenkins, and we are migrating - slowly - to GitlabCI. Plus, everything has to be as simple as possible (no need to write some bash or python for project owners, just set some variables). If you look at the example attached on first post, only the variables will have to change between one project or an other.
IMHO, I really think my script should be a Jenkins plugin's replacement (+ other features?), as customizable as possible, not just an other ZAP wrapper. I hope I'm in the good way :)
@psiinon
I'll ask here if I need extra information, thanks :)
Cheers,
F.
kingthorin+owaspzap
May 23, 2018, 11:50:50 AM5/23/18
to OWASP ZAP Developer Group
Ok cool, now I have a better understanding or what you're building.
SebA
May 11, 2021, 2:58:47 PM5/11/21
to OWASP ZAP Developer Group
Hi Flocurity,
Did you ever develop this? Your plan sounded good...
Cheers,
SebA
Reply all
Reply to author
Forward
0 new messages