Skip to main content

ZAP Advanced

zap logo

License Apache-2.0GitHub release (latest SemVer)OWASP Incubator ProjectArtifact HUBGitHub Repo starsTwitter Follower

What is OWASP ZAP?#

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.

To learn more about the ZAP scanner itself visit https://www.zaproxy.org/.

Deployment#

The zap-advanced chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)helm upgrade --install zap-advanced secureCodeBox/zap-advanced

Scanner Configuration#

Listed below are the arguments supported by the zap-advanced-scan script.

The command line interface can be used to easily run server scans: -t www.example.com

usage: zap-client [-h] -z ZAP_URL [-a API_KEY] [-c CONFIG_FOLDER] -t TARGET [-o OUTPUT_FOLDER] [-r {XML,JSON,HTML,MD}]
OWASP secureCodeBox OWASP ZAP Client  (can be used to automate OWASP ZAP instances based on YAML configuration files.)
optional arguments:  -h, --help            show this help message and exit  -z ZAP_URL, --zap-url ZAP_URL                        The ZAP API Url used to call the ZAP API.  -a API_KEY, --api-key API_KEY                        The ZAP API Key used to call the ZAP API.  -c CONFIG_FOLDER, --config-folder CONFIG_FOLDER                        The path to a local folder containing the additional ZAP configuration YAMLs used to configure OWASP ZAP.  -t TARGET, --target TARGET                        The target to scan with OWASP ZAP.  -o OUTPUT_FOLDER, --output-folder OUTPUT_FOLDER                        The path to a local folder used to store the output files, eg. the ZAP Report or logfiles.  -r {XML,JSON,HTML,MD}, --report-type {XML,JSON,HTML,MD}                        The OWASP ZAP Report Type.

Requirements#

Kubernetes: >=v1.11.0-0

Additional Chart Configurations#

By default, the secureCodeBox ZAP Helm Chart installs the scanType zap-advanced-scan along with a minimal default configuration based on the HelmChart value zapConfiguration. The configuration will be stored in a dedicate scanType specific configMap named zap-advanced-scantype-config. Feel free to use the configMap or even the HelmChart values to adjust the advanced ZAP configuration settings according to your needs. Details about the different configuration options can be found below.

Additionally, there will be some ZAP Scripts included, these are stored in the corresponding configMaps zap-scripts-authentication and zap-scripts-session. Scripts can be used to implement a specific behavior or even new authentication patterns, which are not supported by ZAP out of the box. Feel free to add additional scripts in your own, if you need them.

                                                                                            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                                                    β”‚A YAML configuration file for ZAP that  β”‚β”‚This CM contains ZAP authentication   β”‚                                                    β”‚relates to the scanType directly.       β”‚β”‚scripts that are already included     β”‚                                                    β”‚- will be used for all scans by default β”‚β”‚within the zap-advanced scanner.      β”‚                                                    β”‚- can be configured via Helm Values:    β”‚β”‚Feel free to add your own.            │────────┐     β”Œ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐   β”Œβ”€β”€β”€β”€β”€β”€β”€β”‚  zapConfiguration                      β”‚β”‚                                      β”‚        β”‚                                   β”‚       β”‚- add your baseline config here         β”‚β”‚ConfigMap: zap-scripts-authentication β”‚        β”‚     β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚   β”‚       β”‚                                        β”‚β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        β”‚        β”‚                   β”‚      β”‚       β”‚ConfigMap: zap-advanced-scantype-config β”‚                                                β”‚     β”‚  β”‚  ZAP Client       β”‚  β”‚   β”‚       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜               All scripts are mounted as files β”‚        β”‚  Python3 Module   │◀──────                                                        directly into the ZAP container. To use β”‚     β”‚  β”‚                   β”‚  β”‚   β”‚  All referenced YAML files will be merged into         them add a corresponding script section β”‚        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜      β”‚  one single YAML configuration. The merged one                            in your config YAML. β”‚     β”‚            β”‚            β”‚   β”‚  will be used to configure the ZAP instance.                                                   β”‚              uses API             β”‚                                                β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”‚     β”‚            β”‚            β”‚   β”‚       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”β”‚This CM contains ZAP session          β”‚        β”‚                  β–Ό                β”‚       β”‚A YAML configuration for ZAP that       β”‚β”‚scripts that are already included     β”‚        β”‚     β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚   β”‚       β”‚relates to a single scan execution.     β”‚β”‚within the zap-advanced scanner.      β”‚        β”‚        β”‚                   β”‚      β”‚       β”‚- can by used for selected scans        β”‚β”‚Feel free to add your own.            │────────┼─────┼─▢│  OWASP ZAP Proxy  β”‚  β”‚   β”‚       β”‚- not created by default                β”‚β”‚                                      β”‚        β”‚        β”‚                   β”‚      └───────│- add your scan target specific config  β”‚β”‚ConfigMap: zap-scripts-session        β”‚        β”‚     β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚           β”‚- needs to be referenced in Scan        β”‚β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        β”‚                                           β”‚- please use SecretMap for credentials! β”‚β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”‚     β”‚  secureCodeBox scanner  β”‚           β”‚                                        β”‚β”‚Feel free to add your own scripts :)  β”‚        β”‚        scanType: zap-advanced             β”‚ConfigMap: zap-advanced-scan-config     β”‚β”‚                                      β”‚β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β”” ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ β”˜           β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜β”‚ConfigMap: zap-scripts-your-name      β”‚                                                                                             β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                                                                                             

The following picture outlines the reference concept of the ZAP YAML configuration zapConfiguration. If you want to configure an api scan, spider or active 'scanyou must at least add onecontextitem with anameandurlconfigured. The contexturlmust match the target url used in theScan` execution:

spec:  scanType: "zap-advanced-scan"  parameters:    # target URL must match with `context.url` to identify the corresponding configurations.    - "-t"    - "http://bodgeit.default.svc:8080/bodgeit/"

If you want to configure the api scan, spider or active 'scansection it is mandatory to add thecontext: reference the section. Otherwise it is not possible to identify which configuration must be used for a scan. Theurlin theapi,spider or active 'scan section can be different to the context.url (and scan target url).

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”β”‚      ZAP Configuration YAML - reference by "context name"      β”‚β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                                                                                                                      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”            β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                 β”‚ Context        β”‚            β”‚ Context        β”‚                 β”‚  - name:  ABC  │◀───┬─┬─┐   β”‚  - name:  XYZ  │◀───┬─┬─┐        β”‚    url:   ...  β”‚    β”‚ β”‚ β”‚   β”‚    url:   ...  β”‚    β”‚ β”‚ β”‚        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚ β”‚ β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚ β”‚ β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚ β”‚    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚ β”‚         β”‚ API:            β”‚  β”‚ β”‚ β”‚    β”‚ API:            β”‚  β”‚ β”‚ β”‚         β”‚  - context: ABC β”‚β”€β”€β”˜ β”‚ β”‚    β”‚  - context: XYZ β”‚β”€β”€β”˜ β”‚ β”‚         β”‚  - ...          β”‚    β”‚ β”‚    β”‚  - ...          β”‚    β”‚ β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚ β”‚    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚ β”‚           β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚           β”‚ Spider:         β”‚  β”‚ β”‚      β”‚ Spider:         β”‚  β”‚ β”‚           β”‚  - context: ABC β”‚β”€β”€β”˜ β”‚      β”‚  - context: XYZ β”‚β”€β”€β”˜ β”‚           β”‚  - ...          β”‚    β”‚      β”‚  - ...          β”‚    β”‚           β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚      β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚             β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚             β”‚ Scanner:        β”‚  β”‚        β”‚ Scanner:        β”‚  β”‚             β”‚  - context: ABC β”‚β”€β”€β”˜        β”‚  - context: XYZ β”‚β”€β”€β”˜             β”‚  - ...          β”‚           β”‚  - ...          β”‚                β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜           β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜           

ZAP Configuration#

The following YAMl gives you an overview about all the different configuration options you have to configure the ZAP advanced scan. Please have a look into our ./examples/... to find some working examples. We provide a list of working examples to scan our demo-targets with the zap-advanced-scan.

note

The YAML format is based on the new ZAP Automation Framework but not exactly the same. The ZAP Automation Framework is a new approach of the ZAP Team to ease up the automation possibilities of the ZAP scanner itself. Since this ZAP Automation Framework is not ready yet we are not using it for now. We track the progress in this issue #321 for the future.

The ZAP Automation format represents a more "imperative" semantic, due to the fact that you have to configure sequences of "jobs" containing the steps to configure and automate ZAP. In contrast to that has the secureCodeBox zap-advanced YAML format zapConfiguration a "declarative" semantic. The similarity of both YAML formats can help to migrate to the ZAP Automation Framework.

zapConfiguration:  # -- Optional general ZAP Configurations settings.  global:    # -- The ZAP internal Session name. Default: secureCodeBox    sessionName: secureCodeBox    # -- Updates all installed ZAP AddOns on startup if true, otherwise false.    addonUpdate: true    # -- Installs additional ZAP AddOns on startup, listed by their name:    addonInstall:      - pscanrulesBeta      - ascanrulesBeta      - pscanrulesAlpha      - ascanrulesAlpha    # -- An optional list of global regexes to include    includePaths:      - "https://example.com/.*"    # -- An optional list of global regexes to exclude    excludePaths:      # - "https://example.com/authserver/v1/.*"      - ".*\\.js"      - ".*\\.css"      - ".*\\.png"      - ".*\\.jpeg"    # -- Configures a proxy for ZAP to tunnel the traffic somewhere else    proxy:      # -- Define if an outgoing proxy server is used.      enabled: false      # -- The proxy port to use      port: 8080      # -- MANDATORY only if useProxyChain is True, ignored otherwise. Outgoing proxy address and port      address: my.corp.proxy      # -- Define the addresses to skip in case useProxyChain is True. Ignored otherwise. List can be empty.      skipProxyAddresses:        - "127.0.0.1"        - localhost      # -- MANDATORY only if proxy.enabled is True. Ignored otherwise. Define if proxy server needs authentication      authentication:          enabled: false          proxyUsername: ""          proxyPassword: ""          proxyRealm: ""    # -- Configures existings ZAP Scripts or add new ZAP Scripts. For example can be used if a proxy script must be loaded. Proxy scripts are executed for every request traversing ZAP    scripts:      - name: "Alert_on_HTTP_Response_Code_Errors.js"        # -- True if the script must be enabled, false otherwise        enabled: false        # -- The complete filepath (inside the ZAP Container!) to the script file.        filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_HTTP_Response_Code_Errors.js"        # -- The script engine. Possible values are: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts        engine: "Oracle Nashorn"        # -- The type of script engine used. Possible values are: 'httpsender', 'authentication', 'session', 'proxy', ...        type: "httpsender"        # -- A short description for the script.        description: "A HTTP Sender Script which will raise alerts based on HTTP Response codes."      - name: "Alert_on_Unexpected_Content_Types.js"        # -- True if the script must be enabled, false otherwise        enabled: false        # -- The complete filepath (inside the ZAP Container!) to the script file.        filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_Unexpected_Content_Types.js"        # -- The type of script engine used. Possible values are: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts        engine: "Oracle Nashorn"        # -- The type of the script. Possible values are: 'httpsender', 'authentication', 'session', 'proxy', ...        type: "httpsender"        # -- A short description for the script.        description: "A HTTP Sender Script which will raise alerts based on unexpected Content-Types."
  # -- Optional list of ZAP Context definitions  contexts:    # -- Name to be used to refer to this context in other jobs, mandatory    - name: scbcontext      # -- The top level URL      url: https://example.com/      # -- An optional list of regexes to include in the ZAP context      includePaths:        - "https://example.com/.*"      #  -- An optional list of regexes to exclude in the ZAP context      excludePaths:        # - "https://example.com/authserver/v1/.*"        - ".*\\.js"        - ".*\\.css"        - ".*\\.png"        - ".*\\.jpeg"      # -- Optional technology list      technology:        # -- By default all technologies are enabed for each context by ZAP. You can use the following config to change that explicitly.        included:          - Db.CouchDB          - Db.Firebird          - Db.HypersonicSQL          - Language.ASP          - OS        # -- By default all technologies are enabed for each context by ZAP. You can use the following config to change that explicitly.        excluded:         - SCM      # -- Authentication Configuration that can be uses by ZAP Spider and/or Scanner. You need to reference the `context` name in the corresponding `zapConfiguration.spiders[0].context` and `zapConfiguration.scanners[0].context` section if you want to use them.      authentication:        # -- Currently supports "basic-auth", "form-based", "json-based", "script-based"        type: "script-based"        # -- Optional, only mandatory if zapConfiguration.contexts[0].authentication.type: "script-based". More ZAP details about 'script based' authentication can be found here: https://www.zaproxy.org/docs/api/#script-based-authentication.        script-based:          # -- The name of the authentication script          name: scb-oidc-password-grand-type.js          # -- Enables the script if true, otherwise false          enabled: true          # -- The type of script engine used. Possible values are: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts          engine: "Oracle Nashorn"          # -- Must be a full path to the script file inside the ZAP container (corresponding to the configMap FileMount)          filePath: "/home/zap/.ZAP_D/scripts/scripts/authentication/scb-oidc-password-grand-type.js"          # -- A short description for the script.          description: "This is a description for the SCB OIDC Script."          # -- Optional list of all script arguments needed to be passed to the script.          arguments:            sub: "secureCodeBox@iteratec.com"            email: "secureCodeBox@teratec.com"            exp: "1609459140"        # -- Optional, only mandatory if zapConfiguration.contexts[0].authentication.type: "basic-auth". More ZAP details about 'basic auth' based authentication can be found here: https://www.zaproxy.org/docs/api/?python#general-steps.        basic-auth:          # -- The hostname that must be for the basic authentication          hostname: "https://example.com/"          # -- The realm that must be for the basic authentication          realm: "Realm"          # -- The port that must be for the basic authentication          port: 8080        # -- Optional, only mandatory if zapConfiguration.contexts[0].authentication.type: "form-based". More ZAP details about 'form-based' based authentication can be found here: https://www.zaproxy.org/docs/api/#form-based-authentication.        form-based:          # -- The URL to the login form that must be used          loginUrl: "http://localhost:8090/bodgeit/login.jsp"          # -- The mapping of username and password to HTTP post parameters. Hint: the value must be escaped already to prevent YAML parser colidations. Example the intended value 'username={%username%}&password={%password%}' must be ''username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D.          loginRequestData: "username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D"        # -- Optional, only mandatory if zapConfiguration.contexts[0].authentication.type: "json-based". More ZAP details about 'json-based' based authentication can be found here: https://www.zaproxy.org/docs/api/#json-based-authentication.        json-based:          loginUrl: "http://localhost:3000/rest/user/login"          # must be escaped already to prevent yaml parser colidations '{"user":{"id":1,"email":"test@test.com"}}''          loginRequestData: '{"user":{"id":1,"email":"test@test.com"}}'        # -- Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)        verification:          # -- The optional ZAP indiator string for loggedIn Users          isLoggedInIndicator: ""          # -- The optional ZAP indiator string for loggedOut Users          isLoggedOutIndicator: ""      # -- A list of users with credentials which can be referenced by spider or scanner configurations to run them authenticated (you have to configure the authentiation settings). Hint: you can use secretMaps to seperate credentails.      users:        # -- The name of this user configuration        - name: test-user-1          # -- The username used to authenticate this user          username: user1          # -- The password used to authenticate this user          password: password1          # -- Optional, could be set to True only once in the users list. If not defined the first user in the list will be forced by default.          forced: true        # -- The name of this user configuration        - name: test-user-2          # -- The username used to authenticate this user          username: user2          # -- The password used to authenticate this user          password: password2      # -- The optional ZAP session configuration      session:        # -- The ZAP Session type indicates how Zap identifies sessions. Currently supports the following types: "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"        type: "scriptBasedSessionManagement"        # -- Optional, only mandatory if zapConfiguration.contexts[0].session.type: "scriptBasedSessionManagement". Additional configrations for the session type "scriptBasedSessionManagement"        scriptBasedSessionManagement:          # -- The name of the session script to be used.          name: "juiceshop-session-management.js"          # -- Enables the script if true, otherwise false          enabled: true          # -- The type of script engine used. Possible values are: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts          engine: "Oracle Nashorn"          # --  Must be a full path to the script file inside the ZAP container (corresponding to the configMap FileMount)          fileName: "/home/zap/.ZAP_D/scripts/scripts/session/juiceshop-session-management.js"          # --  An optional description used for the script.          description: "This is a JuiceShop specific SessionManagement Script used to handle JWT."   # -- Optional list of ZAP OpenAPI configurations  apis:    # -- The name of the api configuration    - name: scb-petstore-api      # -- The Name of the context (zapConfiguration.contexts[x].name) to reference, default: the first context available      context: scb-petstore-context      # -- The used format of the API. Possible values are: 'openapi', 'grapql', 'soap'      format: openapi      # -- Url to start importing the API from, default: first context URL      url: http://localhost:8000/v2/swagger.json      # -- Optional: Override host setting in the API (e.g. swagger.json) if your API is using some kind of internal routing.      hostOverride: http://localhost:8000      # -- Optional: Assumes that the API Spec has been saved to a configmap in the namespace of the scan / this release. Should be null if not used.      configMap:        # Object with two keys: "name" name of the config map, and "key" which is the key / property in the configmap which holds the openapi spec file.        name: my-configmap-with-openapi-spec        key: openapi.yaml      # -- Allows to embed the entire yaml / json API spec in the values (e.g. OpenAPI YAML spec). Should be null if not used.      spec: null      # -- Configures existings ZAP Scripts or add new ZAP Scripts. For example can be used if a proxy script must be loaded. Proxy scripts are executed for every request traversing ZAP      scripts:        - name: "Alert_on_HTTP_Response_Code_Errors.js"          # -- True if the script must be enabled, false otherwise          enabled: true        - name: "Alert_on_Unexpected_Content_Types.js"          # -- True if the script must be enabled, false otherwise          enabled: true
  # -- Optional list of ZAP Spider configurations  spiders:      # -- String: The name of the spider configuration    - name: scbspider      # -- String: The Name of the context (zapConfiguration.contexts[x].name) to spider, default: first context available      context: scbcontext      # -- String: The Name of the user (zapConfiguration.contexts[0].users[0].name) used to authenticate the spider with      user: "test-user-1"      # -- String: Url to start spidering from, default: first context URL      url: https://example.com/      # -- Bool: Whether to use the ZAP ajax spider, default: false      ajax: false      # -- Int: Fail if spider finds less than the specified number of URLs, default: 0      failIfFoundUrlsLessThan: 0      # -- Int: Warn if spider finds less than the specified number of URLs, default: 0      warnIfFoundUrlsLessThan: 0      # -- Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited      maxDuration: 0      # -- Int: The maximum tree depth to explore, default 5      maxDepth: 5      # -- Int: The maximum number of children to add to each node in the tree                          maxChildren: 10      # -- Bool: Whether the spider will accept cookies, default: true      acceptCookies: true      # -- Bool: Whether the spider will handle OData responses, default: false      handleODataParametersVisited: false      # -- Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all      handleParameters: use_all      # -- Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb      maxParseSizeBytes: 2621440      # -- Bool: Whether the spider will parse HTML comments in order to find URLs, default: true      parseComments: true      # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false      parseGit: false      # -- Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true      parseRobotsTxt: true      # -- Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true      parseSitemapXml: true      # -- Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false      parseSVNEntries: false      # -- Bool: Whether the spider will submit POST forms, default: true      postForm: true      # -- Bool: Whether the spider will process forms, default: true      processForm: true      # -- Int: The time between the requests sent to a server in milliseconds, default: 200      requestWaitTime: 200      # -- Bool: Whether the spider will send the referer header, default: true      sendRefererHeader: true      # -- Int: The number of spider threads, default: 2                  threadCount: 2      # -- String: The user agent to use in requests, default: '' - use the default ZAP one                    userAgent: "secureCodeBox / ZAP Spider"      # -- Configures existings ZAP Scripts or add new ZAP Scripts. For example can be used if a proxy script must be loaded. Proxy scripts are executed for every request traversing ZAP      scripts: {}   # -- Optional list of ZAP Active Scanner configurations  scanners:      # -- String: Name of the context to attack, default: first context    - name: scbscan      # -- String: Name of the context to attack, default: first context      context: scbcontext      # -- String: Url to start scaning from, default: first context URL      url: https://example.com/      # -- String: The name of the default scan policy to use, default: Default Policy      defaultPolicy: "Default Policy"      # -- String: Name of the scan policy to be used, default: Default Policy      policy: "Default Policy"      # -- Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited      maxRuleDurationInMins: 0      # -- Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited               maxScanDurationInMins: 0      # -- Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0      delayInMs: 0      # -- Bool: If set will add an extra query parameter to requests that do not have one, default: false      addQueryParam: false      # -- Bool: If set then automatically handle anti CSRF tokens, default: false      handleAntiCSRFTokens: false      # -- Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false                injectPluginIdInHeader: false      # -- Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false      scanHeadersAllRequests: false      # -- Int: The max number of threads per host, default: 2      threadPerHost: 2      # -- The policy definition, only used if the 'policy' is not set - NOT YET IMPLEMENTED      policyDefinition:        # -- String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium        defaultStrength: Medium        # -- String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium        defaultThreshold: Medium        # -- A list of one or more active scan rules and associated settings which override the defaults        rules:          # -- Int: The rule id as per https://www.zaproxy.org/docs/alerts/        - id: 10106          # -- The name of the rule for documentation purposes - this is not required or actually used          name: "rule"          # -- String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium          strength: Medium          # -- String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium          threshold: Low      # -- Configures existings ZAP Scripts or add new ZAP Scripts. For example can be used if a proxy script must be loaded. Proxy scripts are executed for every request traversing ZAP      scripts: {}

Values#

KeyTypeDefaultDescription
cascadingRules.enabledbooltrueEnables or disables the installation of the default cascading rules for this scanner
parser.envlist[]Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
parser.image.pullPolicystring"IfNotPresent"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
parser.image.repositorystring"docker.io/securecodebox/parser-zap"Parser image repository
parser.image.tagstringdefaults to the charts versionParser image tag
parser.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
scanner.activeDeadlineSecondsstringnilThere are situations where you want to fail a scan Job after some amount of time. To do so, set activeDeadlineSeconds to define an active deadline (in seconds) when considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#job-termination-and-cleanup)
scanner.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
scanner.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scanner.envFromlist[]Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
scanner.extraContainerslist[]Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scanner.extraVolumeMountslist[{"mountPath":"/home/securecodebox/configs/1-zap-advanced-scantype.yaml","name":"zap-advanced-scantype-config","readOnly":true,"subPath":"1-zap-advanced-scantype.yaml"}]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.extraVolumeslist[{"configMap":{"name":"zap-advanced-scantype-config"},"name":"zap-advanced-scantype-config"},{"configMap":{"name":"zap-scripts-authentication"},"name":"zap-scripts-authentication"},{"configMap":{"name":"zap-scripts-session"},"name":"zap-scripts-session"}]Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.image.pullPolicystring"IfNotPresent"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
scanner.image.repositorystring"docker.io/securecodebox/scanner-zap-advanced"Container Image to run the scan
scanner.image.tagstringnildefaults to the charts version
scanner.nameAppendstringnilappend a string to the default scantype name.
scanner.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scanner.securityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.securityContext.allowPrivilegeEscalationboolfalseEnsure that users privileges cannot be escalated
scanner.securityContext.capabilities.drop[0]string"all"This drops all linux privileges from the container.
scanner.securityContext.privilegedboolfalseEnsures that the scanner container is not run in privileged mode
scanner.securityContext.readOnlyRootFilesystemboolfalsePrevents write access to the containers file system
scanner.securityContext.runAsNonRootboolfalseEnforces that the scanner image is run as a non root user
scanner.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
zapConfigurationobject{"global":{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}}All scanType specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options.
zapConfiguration.globalobject{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}Optional general ZAP Configurations settings.
zapConfiguration.global.addonInstalllist["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"]Installs additional ZAP AddOns on startup, listed by their name:
zapConfiguration.global.addonUpdatebooltrueUpdates all installed ZAP AddOns on startup if true, otherwise false.
zapConfiguration.global.sessionNamestring"secureCodeBox"The ZAP internal Session name. Default: secureCodeBox
zapContainer.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
zapContainer.envFromlist[]Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
zapContainer.extraVolumeMountslist[{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/authentication/","name":"zap-scripts-authentication","readOnly":true},{"mountPath":"/home/zap/.ZAP_D/scripts/scripts/session/","name":"zap-scripts-session","readOnly":true}]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
zapContainer.image.pullPolicystring"IfNotPresent"Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
zapContainer.image.repositorystring"owasp/zap2docker-stable"Container Image to run the scan
zapContainer.image.tagstringnildefaults to the charts appVersion
zapContainer.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
zapContainer.securityContext.allowPrivilegeEscalationboolfalse
zapContainer.securityContext.capabilities.drop[0]string"all"
zapContainer.securityContext.privilegedboolfalse
zapContainer.securityContext.readOnlyRootFilesystemboolfalse
zapContainer.securityContext.runAsNonRootboolfalse

License#

License

Code of secureCodeBox is licensed under the Apache License 2.0.

Examples#

demo-bodgeit-scan-authenticated#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
---apiVersion: v1kind: ConfigMapmetadata:  name: zap-advanced-scan-configdata:  2-zap-advanced-scan.yaml: |-
    # ZAP Contexts Configuration     contexts:      # Name to be used to refer to this context in other jobs, mandatory      - name: scb-bodgeit-context        # The top level url, mandatory, everything under this will be included        url: http://bodgeit.default.svc:8080/bodgeit/        # An optional list of regexes to include        includePaths:          - "http://bodgeit.default.svc:8080/bodgeit.*"        # An optional list of regexes to exclude        excludePaths:          - "http://bodgeit.default.svc:8080/bodgeit/logout.jsp"          - ".*\\.js"          - ".*\\.css"          - ".*\\.png"          - ".*\\.jpeg"        # Auth Credentials for the scanner to access the application        # Can be either basicAuth or a oidc token.        # If both are set, the oidc token takes precedent        authentication:          # Currently supports "basic-auth", "form-based", "json-based", "script-based"          type: "form-based"          # basic-auth requires no further configuration          form-based:            loginUrl: "http://bodgeit.default.svc:8080/bodgeit/login.jsp"            # must be escaped already to prevent yaml parser colidations 'username={%username%}&password={%password%}''            loginRequestData: "username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D"          # Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)          verification:            isLoggedInIndicator: '\Q<a href="password.jsp">\E'            isLoggedOutIndicator: '\QGuest user\E'        users:          - name: bodgeit-user-1            username: test@thebodgeitstore.com            password: password            forced: true        session:          # Currently supports "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"          type: "cookieBasedSessionManagement"
    # ZAP Spiders Configuration     spiders:      - name: scb-bodgeit-spider        # String: Name of the context to spider, default: first context        context: scb-bodgeit-context        # String: Name of the user to authenticate with and used to spider        user: bodgeit-user-1        # String: Url to start spidering from, default: first context URL        url: http://bodgeit.default.svc:8080/bodgeit/        # Int: Fail if spider finds less than the specified number of URLs, default: 0        failIfFoundUrlsLessThan: 0        # Int: Warn if spider finds less than the specified number of URLs, default: 0        warnIfFoundUrlsLessThan: 0        # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited        maxDuration: 3        # Int: The maximum tree depth to explore, default 5        maxDepth: 5        # Int: The maximum number of children to add to each node in the tree                             maxChildren: 10        # String: The user agent to use in requests, default: '' - use the default ZAP one                       userAgent: "secureCodeBox / ZAP Spider"
    # ZAP ActiveScans Configuration     scanners:      - name: scb-bodgeit-scan        # String: Name of the context to attack, default: first context        context: scb-bodgeit-context        # String: Name of the user to authenticate with and used to spider        user: bodgeit-user-1        # String: Url to start scaning from, default: first context URL        url: http://bodgeit.default.svc:8080/bodgeit/        # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited        maxRuleDurationInMins: 3        # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited                  maxScanDurationInMins: 10        # Int: The max number of threads per host, default: 2        threadPerHost: 2        # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0        delayInMs: 0        # Bool: If set will add an extra query parameter to requests that do not have one, default: false        addQueryParam: false        # Bool: If set then automatically handle anti CSRF tokens, default: false        handleAntiCSRFTokens: false        # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false                   injectPluginIdInHeader: false        # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false        scanHeadersAllRequests: false---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-authenticated-full-scan-bodgeit"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://bodgeit.default.svc:8080/bodgeit/"  volumeMounts:    - name: zap-advanced-scan-config      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml      subPath: 2-zap-advanced-scan.yaml      readOnly: true  volumes:    - name: zap-advanced-scan-config      configMap:        name: zap-advanced-scan-config

demo-bodgeit-scan-unauthenticated#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
apiVersion: v1kind: ConfigMapmetadata:  name: zap-advanced-scan-configdata:  2-zap-advanced-scan.yaml: |-
    # ZAP Contexts Configuration     contexts:      # Name to be used to refer to this context in other jobs, mandatory      - name: scb-bodgeit-context        # The top level url, mandatory, everything under this will be included        url: http://bodgeit.default.svc:8080/bodgeit/        # An optional list of regexes to include        includePaths:          - "http://bodgeit.default.svc:8080/bodgeit.*"        # An optional list of regexes to exclude        excludePaths:          - "http://bodgeit.default.svc:8080/bodgeit/logout.jsp"          - ".*\\.js"          - ".*\\.css"          - ".*\\.png"          - ".*\\.jpeg"
    # ZAP Spiders Configuration     spiders:      - name: scb-bodgeit-spider        # String: Name of the context to spider, default: first context        context: scb-bodgeit-context        # String: Url to start spidering from, default: first context URL        url: http://bodgeit.default.svc:8080/bodgeit/        # Int: Fail if spider finds less than the specified number of URLs, default: 0        failIfFoundUrlsLessThan: 0        # Int: Warn if spider finds less than the specified number of URLs, default: 0        warnIfFoundUrlsLessThan: 0        # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited        maxDuration: 3        # Int: The maximum tree depth to explore, default 5        maxDepth: 5        # Int: The maximum number of children to add to each node in the tree                             maxChildren: 10        # String: The user agent to use in requests, default: '' - use the default ZAP one                       userAgent: "secureCodeBox / ZAP Spider"
---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-authenticated-baseline-scan-bodgeit"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://bodgeit.default.svc:8080/bodgeit/"  volumeMounts:    - name: zap-advanced-scan-config      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml      subPath: 2-zap-advanced-scan.yaml      readOnly: true  volumes:    - name: zap-advanced-scan-config      configMap:        name: zap-advanced-scan-config

demo-juiceshop-scan-authenticated#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
---apiVersion: v1kind: ConfigMapmetadata:  name: zap-advanced-scan-configdata:  2-zap-advanced-scan.yaml: |-
    # ZAP Contexts Configuration     contexts:      # Name to be used to refer to this context in other jobs, mandatory      - name: scb-juiceshop-context        # The top level url, mandatory, everything under this will be included        url: http://juiceshop.default.svc:3000/        # An optional list of regexes to include        includePaths:          - "http://juiceshop.default.svc:3000.*"        # An optional list of regexes to exclude        excludePaths:          - ".*socket\\.io.*"          - ".*\\.png"          - ".*\\.jpeg"          - ".*\\.jpg"          - ".*\\.woff"          - ".*\\.woff2"          - ".*\\.ttf"          - ".*\\.ico"        # Auth Credentials for the scanner to access the application        # Can be either basicAuth or a oidc token.        # If both are set, the oidc token takes precedent        authentication:          # Currently supports "basic-auth", "form-based", "json-based", "script-based"          type: "json-based"          # json-based requires no further configuration          # zapConfiguration.contexts[0].authentication.json-based -- Configure `type: json-based` authentication (more: https://www.zaproxy.org/docs/api/#json-based-authentication).          json-based:            loginUrl: "http://juiceshop.default.svc:3000/rest/user/login"            # must be escaped already to prevent yaml parser colidations '{"user":{"id":1,"email":"test@test.com"}}''            loginRequestData: '{"email":"admin@juice-sh.op","password":"admin123"}'          # Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)          verification:            # isLoggedInIndicator: "\Q<a href="password.jsp">\E"            isLoggedOutIndicator: '\Q{"user":{}}\E'        users:          - name: juiceshop-user-1            username: admin@juice-sh.op            password: admin123            forced: true        session:          # Currently supports "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"          type: "scriptBasedSessionManagement"          # scriptBasedSessionManagement configuration details          scriptBasedSessionManagement:            name: "juiceshop-session-management.js"            # -- Enables the script if true, otherwise false            enabled: true            # Script engine values: 'Graal.js', 'Oracle Nashorn' for Javascript and 'Mozilla Zest' for Zest Scripts            engine: "Oracle Nashorn"            # Must be a full path to the script file inside the ZAP container (corresponding to the configMap FileMount)            filePath: "/home/zap/.ZAP_D/scripts/scripts/session/juiceshop-session-management.js"            # A short description for the script.            description: "This is a JuiceShop specific SessionManagement Script used to handle JWT."
    # ZAP Spiders Configuration     spiders:      - name: scb-juiceshop-spider        # String: Name of the context to spider, default: first context        context: scb-juiceshop-context        # String: Name of the user to authenticate with and used to spider        user: juiceshop-user-1        # String: Url to start spidering from, default: first context URL        url: http://juiceshop.default.svc:3000/        # zapConfiguration.spiders[0].ajax -- Bool: Whether to use the ZAP ajax spider, default: false        ajax: true        # Int: Fail if spider finds less than the specified number of URLs, default: 0        failIfFoundUrlsLessThan: 0        # Int: Warn if spider finds less than the specified number of URLs, default: 0        warnIfFoundUrlsLessThan: 0        # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited        maxDuration: 5        # Int: The maximum tree depth to explore, default 5        maxDepth: 10
    # ZAP ActiveScans Configuration     scanners:      - name: scb-juiceshop-scan        # String: Name of the context to attack, default: first context        context: scb-juiceshop-context        # String: Name of the user to authenticate with and used to spider        user: juiceshop-user-1        # String: Url to start scaning from, default: first context URL        url: http://juiceshop.default.svc:3000/        # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited        maxRuleDurationInMins: 1        # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited        maxScanDurationInMins: 10        # Int: The max number of threads per host, default: 2        threadPerHost: 5        # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0        delayInMs: 0        # Bool: If set will add an extra query parameter to requests that do not have one, default: false        addQueryParam: false        # Bool: If set then automatically handle anti CSRF tokens, default: false        handleAntiCSRFTokens: false        # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false        injectPluginIdInHeader: false        # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false        scanHeadersAllRequests: false
---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-authenticated-full-scan-juiceshop"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://juiceshop.default.svc:3000/"  volumeMounts:    - name: zap-advanced-scan-config      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml      subPath: 2-zap-advanced-scan.yaml      readOnly: true  volumes:    - name: zap-advanced-scan-config      configMap:        name: zap-advanced-scan-config

demo-juiceshop-scan-unauthenticated#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
---apiVersion: v1kind: ConfigMapmetadata:  name: zap-advanced-scan-configdata:  2-zap-advanced-scan.yaml: |-
    # ZAP Contexts Configuration     contexts:      # Name to be used to refer to this context in other jobs, mandatory      - name: scb-juiceshop-context        # The top level url, mandatory, everything under this will be included        url: http://juiceshop.default.svc:3000/        # An optional list of regexes to include        includePaths:          - "http://juiceshop.default.svc:3000.*"        # An optional list of regexes to exclude        excludePaths:          - ".*socket\\.io.*"          - ".*\\.png"          - ".*\\.jpeg"          - ".*\\.jpg"          - ".*\\.woff"          - ".*\\.woff2"          - ".*\\.ttf"          - ".*\\.ico"
    # ZAP Spiders Configuration     spiders:      - name: scb-juiceshop-spider        # String: Name of the context to spider, default: first context        context: scb-juiceshop-context        # String: Url to start spidering from, default: first context URL        url: http://juiceshop.default.svc:3000/        # zapConfiguration.spiders[0].ajax -- Bool: Whether to use the ZAP ajax spider, default: false        ajax: true        # Int: Fail if spider finds less than the specified number of URLs, default: 0        failIfFoundUrlsLessThan: 0        # Int: Warn if spider finds less than the specified number of URLs, default: 0        warnIfFoundUrlsLessThan: 0        # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited        maxDuration: 5        # Int: The maximum tree depth to explore, default 5        maxDepth: 10
    # ZAP ActiveScans Configuration     scanners:      - name: scb-juiceshop-scan        # String: Name of the context to attack, default: first context        context: scb-juiceshop-context        # String: Url to start scaning from, default: first context URL        url: http://juiceshop.default.svc:3000/        # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited        maxRuleDurationInMins: 1        # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited        maxScanDurationInMins: 10        # Int: The max number of threads per host, default: 2        threadPerHost: 5        # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0        delayInMs: 0        # Bool: If set will add an extra query parameter to requests that do not have one, default: false        addQueryParam: false        # Bool: If set then automatically handle anti CSRF tokens, default: false        handleAntiCSRFTokens: false        # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false        injectPluginIdInHeader: false        # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false        scanHeadersAllRequests: false---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-authenticated-baseline-scan-juiceshop"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://juiceshop.default.svc:3000/"  volumeMounts:    - name: zap-advanced-scan-config      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml      subPath: 2-zap-advanced-scan.yaml      readOnly: true  volumes:    - name: zap-advanced-scan-config      configMap:        name: zap-advanced-scan-config

demo-petstoreapi-scan-authenticated#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
---apiVersion: v1kind: ConfigMapmetadata:  name: zap-advanced-scan-configdata:  2-zap-advanced-scan.yaml: |-
    global:      # Sets the ZAP Session name      sessionName: integration-test      # Configures existings ZAP Scripts or add new ZAP Scripts.      scripts:        - name: "Alert_on_HTTP_Response_Code_Errors.js"          enabled: true          filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_HTTP_Response_Code_Errors.js"          engine: "Oracle Nashorn"          type: "httpsender"          description: "A HTTP Sender Script which will raise alerts based on HTTP Response codes."        - name: "Alert_on_Unexpected_Content_Types.js"          enabled: true          filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_Unexpected_Content_Types.js"          engine: "Oracle Nashorn"          type: "httpsender"          description: "A HTTP Sender Script which will raise alerts based on unexpected Content-Types."
    # ZAP Contexts Configuration     contexts:      # Name to be used to refer to this context in other jobs, mandatory      - name: scb-petstore-context        # The top level url, mandatory, everything under this will be included. IMPORTANT: must be the hostname without any subpath!        url: http://petstore.demo-targets.svc/        # An optional list of regexes to include        includePaths:          - "http://petstore.demo-targets.svc/v2.*"        # An optional list of regexes to exclude        excludePaths:          - ".*\\.css"          - ".*\\.png"          - ".*\\.jpeg"
    apis:      - name: scb-petstore-api        # -- The Name of the context (zapConfiguration.contexts[x].name) to spider, default: first context available.        context: scb-petstore-context        # -- format of the API ('openapi', 'grapql', 'soap')        format: openapi        # -- Url to start spidering from, default: first context URL        url: http://petstore.demo-targets.svc/v2/swagger.json        # -- Override host setting in swagger.json        hostOverride: http://petstore.demo-targets.svc
    # ZAP Spiders Configuration     spiders:      - name: scb-petstore-spider        # String: Name of the context to spider, default: first context        context: scb-petstore-context        # String: Url to start spidering from, default: first context URL        url: http://petstore.demo-targets.svc/v2/        # Int: Fail if spider finds less than the specified number of URLs, default: 0        failIfFoundUrlsLessThan: 0        # Int: Warn if spider finds less than the specified number of URLs, default: 0        warnIfFoundUrlsLessThan: 0        # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited        maxDuration: 1        # Int: The maximum tree depth to explore, default 5        maxDepth: 5        # Int: The maximum number of children to add to each node in the tree                             maxChildren: 10        # Bool: Whether the spider will accept cookies, default: true        acceptCookies: true        # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true        parseComments: true        # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false        parseGit: false        # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true        parseRobotsTxt: false        # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true        parseSitemapXml: false        # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false        parseSVNEntries: false        # Bool: Whether the spider will submit POST forms, default: true        postForm: true        # Bool: Whether the spider will process forms, default: true        processForm: true        # Int: The time between the requests sent to a server in milliseconds, default: 200        requestWaitTime: 200        # Bool: Whether the spider will send the referer header, default: true        sendRefererHeader: true        # Int: The number of spider threads, default: 2                     threadCount: 2        # String: The user agent to use in requests, default: '' - use the default ZAP one                       userAgent: "secureCodeBox / ZAP Spider"
    # ZAP ActiveScans Configuration     scanners:      - name: scb-petstore-scan        # String: Name of the context to attack, default: first context        context: scb-petstore-context        # String: Url to start scaning from, default: first context URL        url: http://petstore.demo-targets.svc/v2/        # String: Name of the scan policy to be used, default: Default Policy        policy: "API-Minimal"        # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited        maxRuleDurationInMins: 1        # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited                  maxScanDurationInMins: 5        # Int: The max number of threads per host, default: 2        threadPerHost: 5        # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0        delayInMs: 0        # Bool: If set will add an extra query parameter to requests that do not have one, default: false        addQueryParam: false        # Bool: If set then automatically handle anti CSRF tokens, default: false        handleAntiCSRFTokens: false        # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false                   injectPluginIdInHeader: false        # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false        scanHeadersAllRequests: false
---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-advanced-api-scan-petstore"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://petstore.demo-targets.svc/"  volumeMounts:    - name: zap-advanced-scan-config      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml      subPath: 2-zap-advanced-scan.yaml      readOnly: true  volumes:    - name: zap-advanced-scan-config      configMap:        name: zap-advanced-scan-config

demo-petstoreapi-scan-authenticated-no-hardcoded-urls#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
---apiVersion: v1kind: ConfigMapmetadata:  name: zap-advanced-scan-configdata:  2-zap-advanced-scan.yaml: |-
    # ZAP Contexts Configuration     contexts:      # Name to be used to refer to this context in other jobs, mandatory      - name: scb-petstore-context        # An optional list of regexes to include        includePaths:          - "https?://.*\\..*.svc:.*"          - "https?://.*\\..*.svc/.*"          - "https?://.*\\..*.svc.cluster.local/.*"          - "https?://.*\\..*.svc.cluster.local:.*"        # An optional list of regexes to exclude        excludePaths:          - ".*\\.css"          - ".*\\.png"          - ".*\\.jpeg"
    apis:      - name: scb-petstore-api        # -- The Name of the context (zapConfiguration.contexts[x].name) to spider, default: first context available.        context: scb-petstore-context        # -- format of the API ('openapi', 'grapql', 'soap')        format: openapi        # -- path to the OpenAPI spec. Always relative to the targets **hosts**, paths in the targets url will be ignored        path: /v2/swagger.json
    # ZAP ActiveScans Configuration     scanners:      - name: scb-petstore-scan        # String: Name of the context to attack, default: first context        context: scb-petstore-context        # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited        maxRuleDurationInMins: 1        # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited        maxScanDurationInMins: 5        # Int: The max number of threads per host, default: 2        threadPerHost: 5

---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-advanced-api-scan-petstore"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "--target"    - "http://swagger-petstore.default.svc/"    - "--context"    - "scb-petstore-context"  volumeMounts:    - name: zap-advanced-scan-config      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml      subPath: 2-zap-advanced-scan.yaml      readOnly: true  volumes:    - name: zap-advanced-scan-config      configMap:        name: zap-advanced-scan-config

demo-petstoreapi-scan-unauthenticated#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
---apiVersion: v1kind: ConfigMapmetadata:  name: zap-advanced-scan-configdata:  2-zap-advanced-scan.yaml: |-
    global:      # Sets the ZAP Session name      sessionName: integration-test      # Configures existings ZAP Scripts or add new ZAP Scripts.      scripts:        - name: "Alert_on_HTTP_Response_Code_Errors.js"          enabled: true          filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_HTTP_Response_Code_Errors.js"          engine: "Oracle Nashorn"          type: "httpsender"          description: "A HTTP Sender Script which will raise alerts based on HTTP Response codes."        - name: "Alert_on_Unexpected_Content_Types.js"          enabled: true          filePath: "/home/zap/.ZAP_D/scripts/scripts/httpsender/Alert_on_Unexpected_Content_Types.js"          engine: "Oracle Nashorn"          type: "httpsender"          description: "A HTTP Sender Script which will raise alerts based on unexpected Content-Types."
    # ZAP Contexts Configuration     contexts:      # Name to be used to refer to this context in other jobs, mandatory      - name: scb-petstore-context        # The top level url, mandatory, everything under this will be included. IMPORTANT: must be the hostname without any subpath!        url: http://petstore.demo-targets.svc/        # An optional list of regexes to include        includePaths:          - "https?://.*\\..*.svc:.*"          - "https?://.*\\..*.svc/.*"          - "https?://.*\\..*.svc.cluster.local/.*"          - "https?://.*\\..*.svc.cluster.local:.*"        # An optional list of regexes to exclude        excludePaths:          - ".*\\.css"          - ".*\\.png"          - ".*\\.jpeg"
    apis:      - name: scb-petstore-api        # -- The Name of the context (zapConfiguration.contexts[x].name) to spider, default: first context available.        context: scb-petstore-context        # -- format of the API ('openapi', 'grapql', 'soap')        format: openapi        # -- Url to start spidering from, default: first context URL        url: http://petstore.demo-targets.svc/v2/swagger.json        # -- Relative path for the given targetUrl. mutually exclusive to the URL configuration.        # path: /v2/swagger.json        # -- Override host setting in swagger.json        hostOverride: http://petstore.demo-targets.svc
    # ZAP Spiders Configuration     spiders:      - name: scb-petstore-spider        # String: Name of the context to spider, default: first context        context: scb-petstore-context        # String: Url to start spidering from, default: first context URL        url: http://petstore.demo-targets.svc/v2/        # Int: Fail if spider finds less than the specified number of URLs, default: 0        failIfFoundUrlsLessThan: 0        # Int: Warn if spider finds less than the specified number of URLs, default: 0        warnIfFoundUrlsLessThan: 0        # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited        maxDuration: 1        # Int: The maximum tree depth to explore, default 5        maxDepth: 5        # Int: The maximum number of children to add to each node in the tree                             maxChildren: 10        # # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb        # maxParseSizeBytes: 2621440        # Bool: Whether the spider will accept cookies, default: true        acceptCookies: true        # Bool: Whether the spider will handle OData responses, default: false        handleODataParametersVisited: false        # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true        parseComments: true        # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false        parseGit: false        # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true        parseRobotsTxt: false        # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true        parseSitemapXml: false        # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false        parseSVNEntries: false        # Bool: Whether the spider will submit POST forms, default: true        postForm: true        # Bool: Whether the spider will process forms, default: true        processForm: true        # Int: The time between the requests sent to a server in milliseconds, default: 200        requestWaitTime: 200        # Bool: Whether the spider will send the referer header, default: true        sendRefererHeader: true        # Int: The number of spider threads, default: 2                     threadCount: 2        # String: The user agent to use in requests, default: '' - use the default ZAP one                       userAgent: "secureCodeBox / ZAP Spider"
---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-api-baseline-scan-petstore"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://petstore.demo-targets.svc/"  volumeMounts:    - name: zap-advanced-scan-config      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml      subPath: 2-zap-advanced-scan.yaml      readOnly: true  volumes:    - name: zap-advanced-scan-config      configMap:        name: zap-advanced-scan-config

integration-tests#

    nginx#

      secureCodeBox.io-scan#

      # SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
      ---apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-advanced-scan-securecodebox"  labels:    organization: "OWASP"spec:  scanType: "zap-advanced-scan"  parameters:    # target URL including the protocol    - "-t"    - "https://www.secureCodeBox.io"