stackoom
  简体   繁体   中英

OWASP ZAP Full Scan Authenticated on Gitlab CICD

 原文  2022-05-19 19:35:15       gitlab-ci/ owasp/ zap

Question

I want to do a zap full scan on gitlab cicd with authentication to the website i want to run it (without the DAST module from gitlab)

i can run the zap-full-scan.py properly but dont know how to add authentication credentials for the site

stages:
  - scan
dast: 
  stage: scan
  image:
    name: owasp/zap2docker-weekly
  before_script:
    - mkdir -p /zap/wrk
  script:
    - pwd
    - ls
    - zap-full-scan.py -t "http://example.com" -m 1 -d -I -r testreport.html 
    - cp /zap/wrk/testreport.html testreport.html
  artifacts:
    when: always
    paths:
      - testreport.html

3 answers

solution1
 0  2022-05-19 22:13:37

using this modified version https://github.com/ICTU/zap2docker-auth-weekly

stages:
- scan
dast: 
  stage: scan
  image:
    name: ictu/zap2docker-weekly 
  before_script:
    - mkdir -p /zap/wrk
  script:
    - pwd
    - ls
    - zap-full-scan.py -t "http://testphp.vulnweb.com" -I -r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=http://example.com/login.php auth.username_field="uname" auth.password_field="pass" auth.username="username" auth.password="pass""
    - cp /zap/wrk/testreport.html testreport.html
  artifacts:
    when: always
    paths:
      - testreport.html

solution2
 0  2022-05-20 08:17:04

Run ZAP locally and get authentication working as per https://www.zaproxy.org/docs/authentication/

Then export your context file and specify that and the user you want to use as per https://www.zaproxy.org/docs/docker/full-scan/

solution3
 0  2022-08-12 13:46:49

It's also possible to authenticate the user before performing DAST checks:

dast:
  image: registry.gitlab.com/gitlab-org/security-products/zaproxy
  variables:
    website: "https://example.com"
    login_url: "https://example.com/sign-in"
  script:
    - mkdir /zap/wrk/
    - /zap/zap-baseline.py -J gl-dast-report.json -t $website \
        --auth-url $login_url \
        --auth-username "john.doe@example.com" \
        --auth-password "john-doe-password" || true
    - cp /zap/wrk/gl-dast-report.json .
  artifacts:
    paths: [gl-dast-report.json]

See zaproxy documentation to learn more about authentication settings.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question OWASP ZAP full scan stopped working in CICD pipeline How to upload scan outputs from minIO (ex. Nmap, Nikto, Sslyze, Zap) to OWASP DefectDojo GitLab CICD deployment with GitLab Environment branches flow OWASP ZAP - SSLHandshakeException: Received fatal alert: handshake_failure How to use Kaniko inside Gitlab CICD? How to integrate OWASP ZAP into GCP Cloud Build CI/CD Gitlab cicd schedule job check if this already done ng: Permission denied pipeline cicd gitlab Run inno script compiler in gitlab cicd Daemon OWASP ZAP on Azure App Service always returns code 400 - Bad Request
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM