The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
To learn more about the ZAP scanner itself visit https://www.zaproxy.org/.
The ZAP scanType can be deployed via helm:
The following security scan configuration example are based on the ZAP Docker Scan Scripts. By default the secureCodeBox ZAP Helm Chart installs all three ZAP scripts:
zap-api-scan. Listed below are the arguments supported by the
zap-baseline script, which are mostly interchangable with the other ZAP scripts. For a more complete reference check out the ZAP Documentation and the secureCodeBox based ZAP examples listed below.
The command line interface can be used to easily run server scans:
|image.repository||string||Container Image to run the scan|
|image.tag||string||defaults to the charts appVersion|
|parseJob.ttlSecondsAfterFinished||string||seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/|
|parserImage.repository||string||Parser image repository|
|parserImage.tag||string||defaults to the charts version||Parser image tag|
|scannerJob.backoffLimit||int||3||There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)|
|scannerJob.env||list||Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)|
|scannerJob.envFrom||list||Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)|
|scannerJob.extraContainers||list||Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)|
|scannerJob.extraVolumeMounts||list||Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)|
|scannerJob.extraVolumes||list||Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)|
|scannerJob.resources||object||CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)|
|scannerJob.securityContext||object||Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)|
|scannerJob.ttlSecondsAfterFinished||string||seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/|