How to login and scan with ZAP, integrated into Jenkins pipeline - using zap docker?

[truclb]

I have a web application, and I want to integrate OWASP ZAP (Zed Attack Proxy) into the CI/CD Jenkins pipeline for automated security testing after deploying it to production. However, I find it challenging to handle authentication if I want to scan all URL links. I wonder if it is possible to do this. Has anyone tried doing it before?

[truclb]

 Actually, it's possible—I used ZAP for DAST in DevSecOps. It mimics human behavior to try to exploit vulnerabilities and then generates a report. ZAP is an amazing tool. I followed this video to solve my problem. 

Vào lúc 10:51:57 UTC+7 ngày Thứ Hai, 22 tháng 7, 2024, truclb đã viết:

[Simon Bennetts]

FYI there are now more options available for authentication.

The best place to start is https://www.zaproxy.org/docs/authentication/

Oh, and ZAP is no longer part of OWASP :)

Cheers,

Simon