Need help in adding OWASP ZAP to CI/CD pipeline in Azure DevOps.

[Nirjhar Banik]

Hello,

I have just started working with OWASP ZAP and in the process to integrate ZAP in the CI/CD pipeline of Azure DevOps. It would be very helpful if someone from the group can help me with some documentation/tutorials on how to start on this.

Many thanks in advance.

Cordially,

Nirjhar Banik

[Simon Bennetts]

Hi Nirjhar,

Start by testing your application using the ZAP desktop - theres a Getting Started Guide here: https://www.zaproxy.org/getting-started/

Its much easier to check that ZAP is doing what you expect via the desktop. Once you've got that working ok then look at automation.

If you can use docker containers then the packaged scans are probably your best option for that: https://www.zaproxy.org/docs/docker/

Cheers,

Simon

[Scott Gerlach]

Hey Nirjhar,

I know this is StackHawk specific we've got documentation on how to integrate with Azure DevOps here https://docs.stackhawk.com/continuous-integration/azure-pipelines.html. You should be able to replace the StackHawk specific stuff in this documentation with OWASP ZAP docker container to get an idea on how to run ZAP in either ephemeral environments or against deployed environments. Hopefully that is helpful in your Azure journey.

[eri...@augment1security.com]

Hi Nirjhar,

If you are keen on using Azure Devops Pipelines, you might want to check out:

https://augment1security.com/cicd/using-zap-with-azure-devops-pipelines-part-1/

https://augment1security.com/cicd/using-zap-with-azure-devops-pipelines-part-2/

Hope it helps.

Best Regards,
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec