Hello everyone! Welcome to pentestguy. In this post we are going to discuss about how to configure owasp zap in azure devops pipeline for penetration/security testing automation. Adding security tests stage with owasp zap in azure devops pipeline or any other one will be helpful in continuous delivery process smoothly.
Make sure that you have azure devops account created or using the existing origination account. We are going to focus on two different things one build pipeline and another one is release pipeline for security testing using owasp zap.
In this example, we are using the build pipeline for publishing the OWASPToNUnit3.xslt as an artifacts which we are going to use in our release pipeline where we are going to setup the actual test runs with the help of owasp zap.
Build Pipeline
Let’s go with the build pipeline first, select repository or create a new one and OWASPToNUnit3.xslt file into it. Create azure-pipelines.yml file (This file will help us to run the build pipeline).
In your case there will be existing pipeline so place the below code at the end or according to your requirements.
trigger:
- none
pr:
- none
pool:
name: Self-hosted
jobs:
- job: Publish
displayName: 'Publish Job'
pool:
name: Self-hosted
steps:
- task: PublishBuildArtifacts@1
inputs:
pathtoPublish: 'security/OWASPToNUnit3.xslt'
artifactName: 'OWASPToNUnit3Artifact'
The above code I used the self hosted pool, use according to your requirements. If you don’t have azure paid resources, you can own self hosted agents.
Create pipeline along with the target repository and run it. It will publish the artifacts shown in the below picture.
Release Pipeline
Now using the artifacts, we are going to create a release pipeline. (Please note that In this post example we are focusing on security stage only, there maybe multiple stages in your case.)
Add published owasp artifacts into the pipeline and create a new stage named as Security Test.
Setup the Agent job settings, you can rename it if you want to. First important point is adding the pool(In this case its Self-hosted) and second thing is select owasp zap artifact.
Now time to add the tasks in to the security test stage, please follow the below steps to achieve it.
Run Test
In this stage we are adding the command related to test run. We are running the owasp docker image against juice shop target which is already present in my network.
If you want to try it with juice shop, check how to run juice shop inside docker container by using this link.
Use the below code in the script section. Make sure to do the necessary changes like I added the login credentials after getting the parameters information as well as login uri. We can also add token if that’s the necessary case.
sudo docker run --rm -v $(pwd):/zap/wrk/:rw -t ictu/zap2docker-weekly zap-baseline.py -I -j -t http://192.168.1.7:3000 -x OWASP-ZAP-Report.xml -r testreport.html --hook=/zap/auth_hook.py -z "auth.loginurl=http://192.168.1.7:3000/#/login auth.email="[email protected]" auth.password="Password""
Convert Result
This is our next step to convert the result which we got from zap and remember the xslt file from build pipeline artifact that we are going to use here.
Add the below powershell code into the script section. Make sure to give the proper artifact location ofr .xslt file. In this case its _OWASP-Test/OWASPToNUnit3Artifact, so _OWASP-Test is from release pipeline artifact name and OWASPToNUnit3Artifact is from build pipeline.
$XslPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/_OWASP-Test/OWASPToNUnit3Artifact/OWASPToNUnit3.xslt" $XmlInputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/OWASP-ZAP-Report.xml" $XmlOutputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/Converted-OWASP-ZAP-Report.xml" $XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform $XslTransform.Load($XslPath) $XslTransform.Transform($XmlInputPath, $XmlOutputPath)
Publish Result
With this stage we are simply going to publish the result which we got from owasp zap.
Save the work and create a new release from the release pipeline and deploy it.
After successfully run the pipeline, go to the tests tab and check for the result.
That’s all about this post. If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
