using API Scans in CI/CD pipelines

[Mario Rodriguez]

Hello, I'm a new ZAP user and trying to use it to automate pentesting on a portfolio composed of RESTful microservices that enforce JWT authentication

My initial exploration is based on the documentation below, however, I have a few questions that really appreciate if some guidance can be provided:

https://www.zaproxy.org/docs/docker/api-scan/

1- Are there any JWT rules available ?

2- Are packaged API scans available outside the ZAP docker images ?

3- Is is possible to implement any customization in the predefined validations applied ?

4- can add-ons be included when using API Scans ?

thanks a lot

[kingthorin+owaspzap]

1. You can install the JWT add-on from SasanLabs, it's available via the marketplace. You can read about it here: https://www.zaproxy.org/blog/2020-09-03-zap-jwt-scanner/

2. Well you can grab the script and run it however you like I suppose, but docker is generally the easiest. (https://github.com/zaproxy/zaproxy/blob/main/docker/zap-api-scan.py)

3. You mean custom scan rules? Yes sure you could develop of your scan rules add-on. You could contribute to the zap-extensions project adding Passive or Active scan rules to the alpha packages. You could contribute to the community-scripts repo with Active or Passive scan scripts. (Or you can keep them private but we'd rather that people share with the community.) You can also add Custom Payloads (supported by some scan rules).

4. Yes you can install or update add-ons based on CLI switches or API calls.

[Mario Rodriguez]

thanks for the preliminary info, just by chance do you have an example or point me to documentation that explains how to install add-ons when using the docker packaged API scan ?  I'm trying to determine how include the JWT add-on when running API scans against OpenAPI services.

regards