Automated ZAP scan with Jenkins/IntelliJ

[Stephen Rugh]

Hey guys! I've just started researching security tools and stumbled upon ZAP via the OWASP website. The UI has been great so far, and I've tested the app successfully against one of my own web projects, however I was wondering if there was a way to automate testing through a Jenkins build process. Basically, I need to be able to run ZAP through command line options, and the help files in the ZAP app don't really list the options available. Thoughts/advice? Thanks!

[Simon Bennetts]

Hi Stephen,

Oh yes - some of us are actively working in this area, including myself - this is exactly how we're using ZAP in Mozilla.
Theres some info on the wiki: http://code.google.com/p/zaproxy/wiki/SecRegTests but its not as up to date as it should be ;)
Basically you can:

• Start ZAP in daemon mode (no UI)
  
• Proxy any functional tests you have through it
• Run the spider using the REST API to cover things your tests dont cover
• Run the active scanner
• Retrieve any alerts, and then fail the build (if relevant)
  

You can access the REST API either directly or via the Java or Python clients.
And if you'd like a client in another language and can help with it then we can work on that.

Theres still lots to do in this are (especially documentation;) but its a high priority for us (especially me).
As this is a bit bleeding edge we tend to discuss it in the developer group, but happy to discuss it here as well.

Hows that sound?

Cheers,

Simon

[Stephen Rugh]

Actually, ZAP sounds like the exact tool I am looking for. I'm currently working on getting the ant script to execute properly through intellij. Seems to be missing some dependencies or something. As for running the spider/scanner via command line, what do you need to do? I'll keep working on getting the bodgeit to work through Intellij and will post my findings here.