Commit 223c1eec authored by Thomas Boni's avatar Thomas Boni
Browse files

Merge branch '6-job-ci-dast' into 'latest'

Resolve "[Job] CI - DAST"

Closes #6

See merge request r2devops/hub!71
parents a973ccb1 421d5b83
Loading
Loading
Loading
Loading
+1 −1
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ stages:

include:
  - remote: 'https://jobs.r2devops.io/mkdocs.yml'
#  - remote: 'https://jobs.go2scale.io/pages.yml'
#  - remote: 'https://jobs.r2devops.io/pages.yml'

mkdocs:
  before_script:

jobs/zaproxy/README.md

0 → 100644
+52 −0
Original line number Diff line number Diff line
# 🔎 Zaproxy

## Description

Run a Dynamic Application Security Testing (DAST) in a docker image
using [Zaproxy](https://www.zaproxy.org/), the OWASP web app scanner.

## How to use it

!!! warning
    Zaproxy is fisrt used to scan web applications and web frontend. You can use the tool to try and discover
    API vulnerabilities, but this job is focused on a quick scan for a frontend service (with or without authentication)

1. Build a docker image of your web application so that this job can
use it as a service (we reccomend using our [Docker](https://hub.go2scale.io/jobs/build/docker_build/) job for it)
2. Add the corresponding URL to your `.gitlab-ci.yml` file (see [Getting
   started](/use-the-hub)) and add a `services` section. Example:

    ```yaml
    include:
      - remote: 'https://jobs.go2scale.io/zaproxy.yml'

    zaproxy:
      services:
         - name: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
           alias: app
    ```

    * You need the `services` part because you need to be able to reach your web application
    * The `name` option must contains your image name and tag
    * The `alias` option permits to zaproxy to reach your application using a name. This name must be the same that the one specified inside [variable `ZAP_TARGET`](#variables)
    * You may also run some other services like a database depending on your application needs

3. If you need to customize the job (stage, variables, ...) 👉 check the [jobs
   customization](/use-the-hub/#jobs-customization)
4. Well done, your job is ready to work ! 😀

## Job details

* Job name: `zaproxy`
* Docker image:
[`owasp/zap2docker-stable:2.9.0`](https://hub.docker.com/r/owasp/zap2docker-stable)
* Default stage: `dynamic_tests`
* When: `always`

### Variables

| Name | Description | Default |
| ---- | ----------- | ------- |
| `ZAP_OPTIONS` <img width=100/> | ZAP command line options e.g. `-z "-config aaa=bbb -config ccc=ddd"` <img width=175/>| ` ` <img width=100/>|
| `ZAP_CONTEXT` | Path for the context file for authenticated scans | ` ` |
| `ZAP_TARGET` | Target for zaproxy to scan, default using alias of the docker image used as a service | `http://app` |

jobs/zaproxy/job.yml

0 → 100644
+6 −0
Original line number Diff line number Diff line
name: zaproxy
description: A ready-to-use job to run DAST using Zaproxy
default_stage: dynamic_tests
icon: 🔎
maintainer: FulcrandG
license: MIT
+1 −0
Original line number Diff line number Diff line
* Initial version
 No newline at end of file
+25 −0
Original line number Diff line number Diff line
stages:
  - dynamic_tests

zaproxy:
  image: owasp/zap2docker-stable:2.9.0
  stage: dynamic_tests
  variables:
    ZAP_SCANNERS: ""
    ZAP_CONTEXT: ""
    ZAP_TARGET: "http://app"
  script:
    - if [ ! -z ${ZAP_CONTEXT} ]; then
    -   zap-cli context import ${ZAP_CONTEXT}
    -   if [ ! -z ${ZAP_SCANNERS}]; then
    -     zap-cli quick-scan -sc -s ${ZAP_SCANNERS} --context-name ${ZAP_CONTEXT} --start-options '-config api.disablekey=true' ${ZAP_TARGET}
    -   else
    -     zap-cli quick-scan -sc --context-name ${ZAP_CONTEXT} --start-options '-config api.disablekey=true' ${ZAP_TARGET}
    -   fi
    - else
    -   if [ ! -z ${ZAP_SCANNERS}]; then
    -     zap-cli quick-scan -sc -s $ {ZAP_SCANNERS} --start-options '-config api.disablekey=true' ${ZAP_TARGET} 
    -   else
    -     zap-cli quick-scan -sc --start-options '-config api.disablekey=true' ${ZAP_TARGET}
    -   fi
    - fi
 No newline at end of file