[Owasp-leaders] Introducing community code to automate ZAP as part of a continuous delivery pipeline

Sherif Mansour sherif.mansour at owasp.org
Sat Oct 8 10:31:52 UTC 2016


Hey Everyone,

Over the summer I asked our intern to contribute to the OWASP ZAP Project.
We agreed to focus on automation so that developers can run zap as part of
their build tests.

The code and instructions can be found here:

https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration

FYI I strongly encourage my peers to leverage interns to contribute to
OWASP projects of their interest.
This will help you assess your intern, but also give them something fun,
open source, and knowing it will help the wider community will motivate
them as well.

I have added snapshots below to explain the approach we took, hope it helps.

*1) Here is a workflow diagram of what we were trying to achieve*
[image: Inline image 1]

*2) Once Setup you can run ZAP headless in a CI/CD Pipeline with a command
like this:*

[image: Inline image 2]
*3) You could also set restrictions on which vulnerabilities to
fail/ignore/pass a build*
[image: Inline image 5]
*4) And you can add additional settings like the pushing results into Jira
(bugtracker), the max duration a scan/spider should tak, and login
credentials of the scanned webapps.*
[image: Inline image 6]
*5) Here is what a report looks like in Jira (note if the webapp passes the
test, the jira ticket will be created and automatically be closed as well).*

[image: Inline image 3]

Kind regards
Sherif Mansour
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161008/2f53e2be/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 94347 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161008/2f53e2be/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 81805 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161008/2f53e2be/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 255747 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161008/2f53e2be/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 89102 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161008/2f53e2be/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 107975 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161008/2f53e2be/attachment-0009.png>


More information about the OWASP-Leaders mailing list