ZAP Automation Framework - Fail on Severity for High
97 views
Skip to first unread message
Nar Di (Nar)
Jun 15, 2023, 11:26:12 PM6/15/23
to OWASP ZAP User Group
Hi
I'm currently using the Zap Automation Framework using the zap.sh command autorun and then referring to a yaml config file to run the scan, along with it is the context where we declare what are the target scope included and excluded, pass a request header and body and do passive scan, spider and active scan.
However we just got a directive that we must fail the git job when there is a High Severity on the scan report
I just like to ask, if is there a way to do this on our current setup. Below is my script
zap.sh -cmd -autorun /zap/wrk/testconfig.yaml
Thank in advance
Nar Di (Nar)
Jun 15, 2023, 11:29:32 PM6/15/23
to OWASP ZAP User Group
I'm using html as a report format btw :)
Nar Di (Nar)
Jun 16, 2023, 3:44:22 AM6/16/23
to OWASP ZAP User Group
Hi
Hope someone could share some recommendations :)
TIA
thc...@gmail.com
Jun 16, 2023, 3:58:58 AM6/16/23
to zaprox...@googlegroups.com
Hi.
You would have to raise an error or warn to affect the exit code:
https://www.zaproxy.org/docs/desktop/addons/automation-framework/
You can do that with Alert Job Test, if you are targeting specific alerts.
https://www.zaproxy.org/docs/desktop/addons/automation-framework/test-alert/
Otherwise you would have to use other means to do that (e.g. standalone
a script that checks the alerts raised).
Best regards.
You would have to raise an error or warn to affect the exit code:
https://www.zaproxy.org/docs/desktop/addons/automation-framework/
You can do that with Alert Job Test, if you are targeting specific alerts.
https://www.zaproxy.org/docs/desktop/addons/automation-framework/test-alert/
Otherwise you would have to use other means to do that (e.g. standalone
a script that checks the alerts raised).
Best regards.
Nar Di (Nar)
Jul 11, 2023, 5:11:55 AM7/11/23
to OWASP ZAP User Group
Thanks thc202, however the requirement is to fail the build if there is a High vulnerability identified and if non let it succeed the build
Currently doing script that will check the report file generated to see if there are Highs
psiinon
Jul 11, 2023, 5:17:21 AM7/11/23
to zaprox...@googlegroups.com
Feel free to share the script here - other people may well find it useful :)
Cheers,
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/bdf0c314-6522-481e-9396-4eb552dc4a24n%40googlegroups.com.
--
OWASP ZAP Project leader
Nar Di (Nar)
Jul 11, 2023, 11:41:52 AM7/11/23
to OWASP ZAP User Group
we'll share
basically the script just grep and sed the report file if the table that has high contains 0 or more than, if more than 0 then fail the build
My conditional statement on the git does not accept if the report contains HIGH, which is exit 1 for with HIGH and exit 0 for no High
Not sure what if the exit code is being validate by the CI or because its conflicting with the exit code output from owasp zap cmd
Reply all
Reply to author
Forward
0 new messages