ZAP Automation through jenkins

[Steve132]

Hi All,

I am automating ZAP dynamic scanning through build pipline. I have a SPA application and API running on a different domains in the backend. I want to automate dynamic scanning for this requirement.

What is the best way to do it?

1)Scan frontend and APIs seperately or

2)Capture API request through frontend and scan it in one go?

Please advise.

[Peter Hauschulz]

The 'best' way to do it depends on what you are looking for! 

How often are these scans going to be run? 

How often is the API built and updated with the same frontend, and vice versa?

My first instinct is to do all of it at once, but the scans may be prohibitively long depending on what kind of release schedule you are trying to support!

[Steve132]

Hi Peter,

Thanks for quick reply,

We have multiple development team developing micro services for our application, and we need to scan these API on regular basis.

I think breaking the scans and scan different layers might help me.

I was looking to implement authenticated API scans through ZAP jenking plugin.

Could you please help me with command to override host for openAPI.

Regards,

Steve

[Peter Hauschulz]

Hmm, I'm not sure how much I can help there. 

I don't use the Jenkins plugin anymore...it's a handy quick tool, but not very flexible and it sounds like your specific case might require more fine tuning than it offers. 

What I do is use Jenkins to build a ZAP daemon via shell command, and then issue commands to the waiting ZAP API. 

Not sure if that helps!

[Steve132]

Hi Peter,

Thats true, Jenkins plugin is not flexible to run the scans, I think I have to use ZAP API. Do you have documentation on how you have used it?

Thanks,

Steve

[Simon Bennetts]

Have a look at the packaged scans: https://github.com/zaproxy/zaproxy/wiki/Packaged-Scans

They do all of the standard things, and can be extended via hooks: https://github.com/zaproxy/zaproxy/blob/develop/docker/docs/scan-hooks.md