OWASP ZAP CI/CD Docker/Manual Build Advice

[ro da]

The decision has been made to incorporate OWASP ZAP into our CI/CD pipeline. I have read a lot on docker images that are commonly used in CI/CD pipelines but unfortunately we dont use docker in this development area. I additionally read that only the docker image comes with that fancy Python script that can also look for API vulnerabilities that would be of a great benefit to us. I currently use LXC and have it pretty much streamlined to what I want for testing but have run into a roadblock on the best way to compile OWASP ZAP that has all the wonderful functionality under the sun. Can anyone shed some light on my situation? Thank you in advanced.

Respectfully

Rolo

[Simon Bennetts]

Hi Rolo,

Docker is a convenient way to package ZAP, but it is definitely not required to use ZAP.

You can install ZAP in any way you want and drive the API directly.

The API scanning script is: https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-api-scan.py

The docker specific parts are pretty much all before line 330

The real functionality is all after that line and is not dependant on docker, so you can just delete the docker specific parts and use the rest of the script with ZAP not running in docker.

Let us know if you have any problems or questions.

Cheers,

Simon

[ro da]

Simmon as always, thank you for your guidance.

Is it safe to say that I could just essentially:

1. Pick a Linux distro (Debian)
2. Add the ZAP repo for it:  https://software.opensuse.org/download.html?project=home%3Acabelo&package=owasp-zap
   
3. Install ZAP
4. Pull down API Python script from:https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-api-scan.py
5. Run updates for the OWASP ZAP and Plugins --> (How can I do this via the CLI or API?)
   
6. Run passive-non-intrusive/active scans via the cli or API --> (Is there an API call that will do what the zap-api-scan.py script will do and therefor inst needed?)
   
7. Report findings to Jira via Jenkins plugins
   

IRespectfully

Rolo

[Simon Bennetts]

Comments inline.

Let us know if you have any more questions or hit any problems.

On Monday, 23 July 2018 22:00:39 UTC+2, ro da wrote:

Simmon as always, thank you for your guidance.

Is it safe to say that I could just essentially:

1. Pick a Linux distro (Debian)
2. Add the ZAP repo for it:  https://software.opensuse.org/download.html?project=home%3Acabelo&package=owasp-zap
   
3. Install ZAP
4. Pull down API Python script from:https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-api-scan.py

You should download and edit it before trying to use it without Docker. You can test it with the ZAP desktop running locally.

We have an example script that performs a spider and active scan on a target site without using docker here: https://github.com/zaproxy/zap-api-python/blob/master/src/examples/basic-spider-scan.py

So a combination of these 2 scripts should work.

 

1. Run updates for the OWASP ZAP and Plugins --> (How can I do this via the CLI or API?)
   

Start ZAP with the param: -addonupdate

as per the baseline: https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-baseline.py#L259

Note that the baseline also installs the beta poassive scan rules using the params: -addoninstall pscanrulesBeta

 

1. Run passive-non-intrusive/active scans via the cli or API --> (Is there an API call that will do what the zap-api-scan.py script will do and therefor inst needed?)
   

ZAP passive scans all requests proxied through it.

So you just need to do any combination of:

• Spidering: zap-baseline.py#L317
• Ajax spidering: zap-baseline.py#L320
• Proxying your own regression tests
  

[ro da]

Hello Simon,

Just our of curiosity, why are these scripts only written for a docker image. This functionality should be part of any install as not all environments use Docker.Will these scripts be included in a regular install of ZAP in the future?

Respectfully,

Rolo