Hi everyone, welcome to pentestguy. In this post, we are going to discuss the ZAP Automation Framework in CI/CD, specifically how to implement the ZAP Automation Framework in your CI/CD pipeline to enhance security testing and streamline the integration process.
ZAP Automation Framework?
ZAP Automation Framework is an extension of the ZAP tool. It enhances ZAP’s capabilities by providing features for automating security tests, integrating with development pipelines, and customizing scans through scripts.
ZAP Automation Framework Locally
To understand, you can try the ZAP Automation framework locally, and for that, you can follow the below step-by-step guide.
For this demonstration, we are going to use the ZAP-APIScan-AutomationFramework repo created by Jaishree Patidar, and big thanks to her for creating such an awesome resource where anyone can easily understand and implement the ZAP Automation Framework.
Clone/Download the repository first.
git clone https://github.com/patidar-jaishree/ZAP-APIScan-AutomationFramework.git
Run the following command to start the scan and make sure that the docker engine is running on your system.
docker run -v ${PWD}:/zap/wrk/:rw -t softwaresecurityproject/zap-stable bash -c "zap.sh -cmd -addoninstall ascanrules -addoninstall openapi; zap.sh -cmd -autorun /zap/wrk/plans/plan.yaml"
After completion you can see the report but how you can scan against the target that you want? and the answer to that is to look into the plan.yaml file. This .yaml file includes the custom settings/commands that we are going to pass to the ZAP and ZAP will execute the scan accordingly. You can check the plan.yaml file from the repositroty.
ZAP Automation Framework in Pipeline
Us e the below code for demonstration/reference purpose.
trigger:
- main
pool:
name: Self-hosted
steps:
- task: Docker@2
displayName: 'Run OWASP Juice Shop container'
inputs:
command: 'run'
arguments: '--network zap_network --name juice-shop -d -p 3000:3000 bkimminich/juice-shop'
- task: Docker@2
displayName: 'Run ZAP container'
inputs:
command: 'run'
arguments: '--network zap_network -v $(System.DefaultWorkingDirectory):/zap/wrk/:rw --name zap-container softwaresecurityproject/zap-stable bash -c "zap.sh -cmd -autorun /zap/wrk/plans/owasp_juiceshop_plan_docker_with_auth.yaml"'
- task: PublishPipelineArtifact@1
displayName: 'Publish ZAP Report as Pipeline Artifact'
inputs:
targetPath: '$(System.DefaultWorkingDirectory)/reports'
artifactName: 'ZAPReport'
publishLocation: 'pipeline'
- task: Docker@2
displayName: 'Remove Juice Shop container'
inputs:
command: 'rm'
arguments: '--force juice-shop'
- task: Docker@2
displayName: 'Remove ZAP container'
inputs:
command: 'rm'
arguments: '--force zap-container'
Below code from the above one, which help to perform the scan which you need to customize according to your pipeline and also can add more tasks to publish the reports as nunit or publish as an artifacts.
- task: Docker@2
displayName: 'Run ZAP container'
inputs:
command: 'run'
arguments: '--network zap_network -v $(System.DefaultWorkingDirectory):/zap/wrk/:rw --name zap-container softwaresecurityproject/zap-stable bash -c "zap.sh -cmd -autorun /zap/wrk/plans/owasp_juiceshop_plan_docker_with_auth.yaml"'
Check whether it’s executed without any error.
Check the result artifact and analyze the result.
That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide your valuable comments and let us know if you have any suggestions. Now you can also collaborate with us please check our collaboration page, thank you!
