Hey guys,
I am working on a PoC of the Zap cli api scanner that I want to integrate into the pipeline.
My idea is to have a swagger file that will be the source of the endpoints that should be tested, and zap.yaml config used to set some kind of rules for testing. The scan should perform authenticated API endpoint tests.
Right now I am facing some issues, and I was not able to find proper docs/tutorials on how to setup this.
This is my folder structure:
├── README.md
├── swagger.yaml
└── zap.yaml
swagger.yaml is copied from my web app
zap.yaml should be configured to load the swagger file and specify some hardcoded access tokens and cookies that are used for authentication. It should also be configured to test only the contacts endpoints as they are the most basic ones for this PoC.
The command that I am using to run the scan is:
docker run -v $(pwd):/zap/wrk/:rw -t softwaresecurityproject/zap-stable zap-api-scan.py -t swagger.yaml -f openapi -c zap.yaml -z -r report.html
After running this command from the root of the folder mentioned above - I am getting the following error message:
Failed to load config file /zap/wrk/zap.yaml Unexpected number of tokens on line - there should be at least 3, tab separated: openapi:
It indicates that YAML is not well structured.
I have tried multiple ways of formatting the YAML of both files, but the error is still the same.
I have also tried to create more simple YAMLs which again resulted in the same error
Do you have any suggestions on how to fix this? Or some docs on how to implement more complicated scans like I would like to perform (I was not able to find any detailed docs on this topic)
Thanks in advance!
The content of zap.yaml is in the attachment