ZAP

zap logo

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.

To learn more about the ZAP scanner itself visit https://www.zaproxy.org/.

Deployment

The ZAP scanType can be deployed via helm:

helm upgrade --install zap secureCodeBox/zap

Scanner Configuration

The following security scan configuration example are based on the ZAP Docker Scan Scripts. By default the secureCodeBox ZAP Helm Chart installs all three ZAP scripts: zap-baseline, zap-full-scan & zap-api-scan. Listed below are the arguments supported by the zap-baseline script, which are mostly interchangable with the other ZAP scripts. For a more complete reference check out the ZAP Documentation and the secureCodeBox based ZAP examples listed below.

The command line interface can be used to easily run server scans: -t www.example.com

Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-h print this help message
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-J report_json file to write the full ZAP JSON document
-a include the alpha passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-I do not return failure on warning
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to spidering the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-T max time in minutes to wait for ZAP to start and the passive scan to run
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
--hook path to python file that define your custom hooks

Chart Configuration

KeyTypeDefaultDescription
image.repositorystring"owasp/zap2docker-weekly"Container Image to run the scan
image.tagstringnildefaults to the charts appVersion
parserImage.repositorystring"docker.io/securecodebox/parser-zap"Parser image repository
parserImage.tagstringdefaults to the charts versionParser image tag
scannerJob.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scannerJob.envFromlist[]Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
scannerJob.extraContainerslist[]Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scannerJob.extraVolumeMountslist[{"mountPath":"/zap/wrk","name":"zap-workdir"}]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scannerJob.extraVolumeslist[{"emptyDir":{},"name":"zap-workdir"}]Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scannerJob.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scannerJob.securityContextobject{}Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scannerJob.ttlSecondsAfterFinishedstringnilDefines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/)

Examples

demo-bodgeit-baseline-scan

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-baseline-bodgeit"
labels:
organization: "OWASP"
spec:
scanType: "zap-baseline"
parameters:
# target URL including the protocol
- "-t"
- "http://bodgeit.demo-apps.svc:8080"
# show debug messages
- "-d"
# the number of minutes to spider for (default 1)
- "-m"
- "2"

demo-bodgeit-full-scan

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-full-scan-bodgeit"
labels:
organization: "OWASP"
spec:
scanType: "zap-full-scan"
parameters:
# target URL including the protocol
- "-t"
- "http://bodgeit.demo-apps.svc:8080"
# include the alpha active and passive scan rules as well
- "-a"
# show debug messages
- "-d"
# the number of minutes to spider for (default 1)
- "-m"
- "3"

demo-juice-shop-baseline-scan

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-baseline-juiceshop"
labels:
organization: "OWASP"
spec:
scanType: "zap-baseline"
parameters:
# target URL including the protocol
- "-t"
- "http://juice-shop.demo-apps.svc:3000"
# show debug messages
- "-d"
# use the Ajax spider in addition to the traditional one
- "-j"
# the number of minutes to spider for (default 1)
- "-m"
- "3"

demo-juice-shop-full-scan

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-full-scan-juiceshop"
labels:
organization: "OWASP"
spec:
scanType: "zap-full-scan"
parameters:
# target URL including the protocol
- "-t"
- "http://juice-shop.demo-apps.svc:3000"
# include the alpha active and passive scan rules as well
- "-a"
# show debug messages
- "-d"
# use the Ajax spider in addition to the traditional one
- "-j"
# the number of minutes to spider for (default 1)
- "-m"
- "3"

demo-petstore-api-scan

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "zap-api-petstore"
labels:
organization: "OWASP"
spec:
scanType: "zap-api-scan"
parameters:
# target URL including the protocol
- "-t"
- "http://swagger-petstore.demo-apps.svc/v2/swagger.json"
# format can either 'openapi' or 'soap'
- "-f"
- "openapi"
# include the alpha passive scan rules as well
# - "-a"
# show debug messages
- "-d"
# the number of minutes to spider for (default 1)
- "-m"
- "3"