ZAP Automation Framework in AzurePipelines

Sergio Rueda

unread,

Dec 22, 2022, 6:17:16 PM12/22/22

to OWASP ZAP User Group

Hi everyone,

I'm trying to replace the apiURL variable of the Yaml file to a variable defined in my pipeline but always identify as null how can I modify this?

because I have multiple api so I don't want to create multiple yaml files to scan multiples apiurls

Simon Bennetts

unread,

Dec 23, 2022, 4:37:49 AM12/23/22

to OWASP ZAP User Group

The variable need to be set as environmental variable.

Cheers,

Simon

Sergio Rueda

unread,

Dec 28, 2022, 9:43:07 AM12/28/22

to OWASP ZAP User Group

do you have an example? I'm trying to set but I don't know how to call it in the yaml file.

Simon Bennetts

unread,

Dec 28, 2022, 9:47:55 AM12/28/22

to OWASP ZAP User Group

Something like this?

https://learn.microsoft.com/en-us/azure/devops/pipelines/process/variables?view=azure-devops&tabs=yaml%2Cbatch#environment-variables

Sergio Rueda

unread,

Dec 28, 2022, 4:30:29 PM12/28/22

to OWASP ZAP User Group

yes I understand it

but I'm using in a task like this:

docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/"$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/testsec/drop/zap.yml"

I need to call the variable to the zap.yml but never the automation framework read it.

so what could I do or use?

Regards,

Simon Bennetts

unread,

Dec 29, 2022, 4:32:09 AM12/29/22

to OWASP ZAP User Group

So in this case you want to use the SYSTEM_DEFAULTWORKINGDIRECTORY env var as per your command?

In this case ZAP (and the AF) will not even get to see it - it will have been handled (or not, as the case may be) before ZAP gets invoked.

I think the problem you are seeing it just related to the commandline and not ZAP.

You can test it by trying commands like:

docker run --rm -t owasp/zap2docker-stable echo "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)"

If you work out the right incantation to get the standard "echo" command to print out the right value then you can use the same format in your ZAP invocation.

Cheers,

Simon

Sergio Rueda

unread,

Jan 3, 2023, 12:14:17 PM1/3/23

to OWASP ZAP User Group

Thanks Simon,

I erase it and the command is executing perfectly

docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/testsec/drop/zap.yml

but the mainly question is how to pass the variable of apiurl store on AzureDevOps to the yaml file that is in another repo different from ADO.

I set to a S.O environment variable but wasn't reading it for the automation framework or how to pass it to the docker image in order that docker could read it

Sergio Rueda

unread,

Jan 4, 2023, 12:30:10 PM1/4/23

to OWASP ZAP User Group

Hi everyone,

I solved it, using a env variable of docker.

Simon Bennetts

unread,

Jan 4, 2023, 12:35:49 PM1/4/23

to OWASP ZAP User Group

thanks for letting us know!

Reply all

Reply to author

Forward