owasp-zap-in-azure-pipeline

OWASP ZAP Security Tests in Azure DevOps

Hello everyone! Welcome to pentestguy. In this post we are going to discuss about how to configure owasp zap in azure devops pipeline for penetration/security testing automation. Adding security tests stage with owasp zap in azure devops pipeline or any other one will be helpful in continuous delivery process smoothly.

Make sure that you have azure devops account created or using the existing origination account. We are going to focus on two different things one build pipeline and another one is release pipeline for security testing using owasp zap.

In this example, we are using the build pipeline for publishing the OWASPToNUnit3.xslt as an artifacts which we are going to use in our release pipeline where we are going to setup the actual test runs with the help of owasp zap.

Build Pipeline

Let’s go with the build pipeline first, select repository or create a new one and OWASPToNUnit3.xslt file into it. Create azure-pipelines.yml file (This file will help us to run the build pipeline).

owasp-zap-to-nunit3-azure-devops
In the above example, I added the OWASPToNUnit3.xslt file under the security directory.

In your case there will be existing pipeline so place the below code at the end or according to your requirements.

trigger:
- none

pr:
- none

pool:
  name: Self-hosted

jobs:
- job: Publish
  displayName: 'Publish Job'
  pool:
    name: Self-hosted
  steps:
  - task: PublishBuildArtifacts@1
    inputs:
      pathtoPublish: 'security/OWASPToNUnit3.xslt'
      artifactName: 'OWASPToNUnit3Artifact'

The above code I used the self hosted pool, use according to your requirements. If you don’t have azure paid resources, you can own self hosted agents.

Create pipeline along with the target repository and run it. It will publish the artifacts shown in the below picture.

owasp-zap-to-nunit3-azure-devops-published-artifact

Release Pipeline

Now using the artifacts, we are going to create a release pipeline. (Please note that In this post example we are focusing on security stage only, there maybe multiple stages in your case.)

Add published owasp artifacts into the pipeline and create a new stage named as Security Test.

owasp-zap-azure-devops-security-pipeline

Setup the Agent job settings, you can rename it if you want to. First important point is adding the pool(In this case its Self-hosted) and second thing is select owasp zap artifact.

agent-job-settings

Now time to add the tasks in to the security test stage, please follow the below steps to achieve it.

Run Test

In this stage we are adding the command related to test run. We are running the owasp docker image against juice shop target which is already present in my network.

If you want to try it with juice shop, check how to run juice shop inside docker container by using this link.

docker-command-owasp-zap
In the above example, Make sure to provide the Display name and Type will be Inline

Use the below code in the script section. Make sure to do the necessary changes like I added the login credentials after getting the parameters information as well as login uri. We can also add token if that’s the necessary case.

sudo docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j -t http://192.168.1.7:3000 -x OWASP-ZAP-Report.xml -r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=http://192.168.1.7:3000/#/login auth.email="[email protected]" auth.password="Password""
Convert Result

This is our next step to convert the result which we got from zap and remember the xslt file from build pipeline artifact that we are going to use here.

powershell-script-convert-nunit3
In the above example, Make sure to provide the Display name and Type will be Inline

Add the below powershell code into the script section. Make sure to give the proper artifact location ofr .xslt file. In this case its _OWASP-Test/OWASPToNUnit3Artifact, so _OWASP-Test is from release pipeline artifact name and OWASPToNUnit3Artifact is from build pipeline.

$XslPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/_OWASP-Test/OWASPToNUnit3Artifact/OWASPToNUnit3.xslt"
$XmlInputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/OWASP-ZAP-Report.xml"
$XmlOutputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/Converted-OWASP-ZAP-Report.xml"
$XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform
$XslTransform.Load($XslPath)
$XslTransform.Transform($XmlInputPath, $XmlOutputPath)
Publish Result

With this stage we are simply going to publish the result which we got from owasp zap.

publish-result
Make sure to set and the values properly as given in the above picture.

Save the work and create a new release from the release pipeline and deploy it.

complete-release-pipeline

After successfully run the pipeline, go to the tests tab and check for the result.

security-testing-result

That’s all about this post. If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!