Using ZAP Docker Image in CI/CD Pipeline for Microservices with OAuth Authentication

107 views
Skip to first unread message

Shubham Bhingarde

unread,
Aug 21, 2024, 3:09:45 AM8/21/24
to ZAP User Group

I'm working on a large-scale microservices project with over 190 services. I've recently integrated DevSecOps into our workflow, and as part of this, I've set up a DAST stage in our CI/CD pipeline using the ZAP Docker image to perform a full scan.

Each time a new build is triggered in Jenkins, I need to ensure that DAST is run across all these microservices. However, our services are secured by an OAuth service, requiring authentication before accessing any service URL. This redirection to the OAuth service is mandatory, and I already have the necessary credentials for authentication.

My question is: How can I configure ZAP to seamlessly pass through the OAuth service and perform a full scan on all our service URLs during the Jenkins build? Are there specific flags or configurations within the ZAP Docker image that would allow me to pass the OAuth credentials directly?

Any guidance or suggestions would be greatly appreciated!


Shubham Bhingarde

unread,
Aug 21, 2024, 7:31:23 AM8/21/24
to ZAP User Group
I have already read the https://www.zaproxy.org/docs/authentication/ , and i know the authentication can be done in ZAP desktop and im looking for the same in docker ZAP 

truclb

unread,
Aug 23, 2024, 4:08:26 AM8/23/24
to ZAP User Group
  I implemented the same in the Jenkins pipeline. However, I only applied it after configuring the Context file for authentication manually (using ZAP GUI). After that, I integrated the full scan using Docker ZAP with the configured Context file. Here is the Jenkins pipeline for the Docker ZAP scan. Apart from that, I followed the video for configuring authentication (Context file): https://www.youtube.com/watch?v=BOlalxfdLbU&authuser=0
I hope it will work for you.
-----------------------------------------------------------------------------------------------------------------
pipeline {
    agent any
    parameters {
        string(
            defaultValue: '<url_for_scan>',
            description: 'Target URL to scan',
            name: 'TARGET'
        )
        booleanParam(
            defaultValue: true,
            description: 'Parameter to know if you want to generate a report.',
            name: 'GENERATE_REPORT'
        )
    }
    stages {
        stage('Setting up ZAP docker container') {
            steps {
                echo 'Starting container --> Start'
                sh 'docker run -dt --name zapscan zaproxy/zap-stable /bin/bash'
                echo 'Starting container --> End'
            }
        }
        stage('Prepare wrk directory') {
            when {
                environment name: 'GENERATE_REPORT', value: 'true'
            }
            steps {
                script {
                    // Create a Folder /zap/wrk then copy context file to Folder.
                    sh '''
                        docker exec  zapscan  \
                        mkdir -p /zap/wrk
                        docker cp ${WORKSPACE}/<context file>  zapscan:/path/to/<context file>
                    '''
                }
            }
        }
        stage('Scanning target on ZAP container - FULL SCAN') {
            steps {
                script {
                    sh """
                        docker exec  zapscan \
                        zap-full-scan.py \
                        -t $target \
                        -n ./<context file> \
                        -U <name of user> \
                        -r ./report.html \
                        -I
                    """
                }
            }
        }
        stage('Copy Report to Workspace') {
            steps {
                script {
                    sh '''
                        echo Workspace la: ${WORKSPACE}
                        docker cp  zapscan:/zap/wrk/report.html ${WORKSPACE}/report.html
                    '''
                }
            }
        }
       
        post {
            always {
                echo 'Removing container'
                sh '''
                    docker stop  zapscan 
                    docker rm  zapscan 
                '''
                cleanWs() //clean workspace after using
            }
        }
    }
}
-----------------------------------------------------------------------------------------------------------------
Vào lúc 18:31:23 UTC+7 ngày Thứ Tư, 21 tháng 8, 2024, shubham....@gmail.com đã viết:

Simon Bennetts

unread,
Aug 28, 2024, 12:53:06 PM8/28/24
to ZAP User Group
I strongly recommend using the Automation Framework (AF) instead of the full packaged scan.
The AF can do everything the packaged scans can do, but in an easier to configure way.

If you can get authentication working in the ZAP desktop then it should be straightforward to get it working in the AF.
You'll have created a context - create the AF plan using that context, and then make sure you change the spiders and active scanners to use the user you have defined.

Try that out and let us know how you get on.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages