Zap Passive Scan to Monitor Testing Pipeline

[Kabir Grewal]

Hello,

I currently have a set of test suites running in CI/CD against a web app, and would like to begin security scanning as part of this pipeline. As it is a dynamic app, active scanning is not effective as for the demo site (bodgeit) so I am trying for a passive scan against the test suite instead. I have read the documentation and FAQs but am still a bit confused on how to accomplish this using a Docker container. Would it be best to use the baseline scan image or a different one? Also if I wanted to proxy against my target site, could Zap use the same URL as the target so that I don't have to adjust my test configuration?

Thanks!

[Simon Bennetts]

Hiya,

That is exactly what the baseline scan is for.

We also have the Automation Framework https://www.zaproxy.org/docs/automate/automation-framework/ which provides finer grain control.

Right now you will need to change your test configuration to proxy via ZAP.

Cheers,

Simon