Run multiple scans in a loop inside Docker container

[Jarek]

Hey,

I'm trying to automate a scanning process so I can perform the scan on multiple API files (OpenAPIv3) but for some reason it doesn't work. Here's my config:

Dockerfile

FROM owasp/zap2docker-weekly

USER root

WORKDIR /zap

CMD ["bash", "/zap/scripts/start.sh"]

start.sh

for f in /zap/wrk/api/*.json # Loop over OAS3 definitions

do

  name=(${f//// })

  zap-api-scan.py \

  -j \

  -t "api/${name[4]}" \

  -f openapi \

  -r report.html \

  -S

done

The first round of scanning is doing completely fine but in the second iteration it's stuck with the output below:

cat: /tmp/.X1-lock: No such file or directory
/zap/zap-x.sh: 10: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]

Do you have any ideas why?


Thanks,
Jarek

[Simon Bennetts]

When I was at Mozilla I used to scan a couple of hundred websites using the packaged scans, the Mass Baseline was sanitised version of those scripts: https://github.com/zaproxy/community-scripts/tree/master/api/mass-baseline

You should definitely sleep for at lease 5 seconds between each run - I found that ZAP takes a little while to shutdown in the background and sometimes previous runs interfered with the following ones.

Did you mean to include the '-j' parameter? Thats not actually supported for the API scan.

Also you will just keep on overwriting the report.html file each time so you will only end up with the last one.

It might be worth trying to adapt the Mass Baseline scripts :)

Cheers,

Simon

[Jarek]

Ah, you're right, I was playing with a single baseline scan before hence the `-j` param and report.html file, thanks for spotting that anyway :)

I'll definitely look at mass-baseline and if I mange to adapt it to API scan, I'll make a PR to community-scripts.

Best,

Jarek