OWASP Zed Attack Proxy in a CI Pipeline - saviovettoor/DevOps-wiki GitHub Wiki

ZAP Proxy in a CI Pipeline

First Let's download the docker image for ZAP

docker pull owasp/zap2docker-weekly

Run the baseline scan against a local http server, for example running on 8000 port

docker run -d -v /opt:/zap/wrk/:rw owasp/zap2docker-weekly zap-baseline.py -c baseline-scan.conf -t http://localhost:8080 -r baseline-scan-report.html

Use -g instead of -c, which will produce the configuration files with levels of alerts set to warn. API scan against the local server running on 8080

docker run -v /opt:/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -c api-scan.conf -t  http:localhost:8080/swagger.json -f openapi -r api-scan-report.html

MORE