Skip to main content

zap


title: ZAP category: scanner type: WebApplication state: released appVersion: 2.10.0 usecase: WebApp & OpenAPI Vulnerability Scanner custom_edit_url: >-

https://github.com/secureCodeBox/secureCodeBox#main/edit/main/scanners/zap/README.md.gotmpl

zap logo

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.

To learn more about the ZAP scanner itself visit https://www.zaproxy.org/.

Deployment

The ZAP scanType can be deployed via helm:

helm upgrade --install zap secureCodeBox/zap

Scanner Configuration

The following security scan configuration example are based on the ZAP Docker Scan Scripts. By default, the secureCodeBox ZAP Helm Chart installs all three ZAP scripts: zap-baseline, zap-full-scan & zap-api-scan. Listed below are the arguments supported by the zap-baseline script, which are mostly interchangeable with the other ZAP scripts. For a more complete reference check out the ZAP Documentation and the secureCodeBox based ZAP examples listed below.

The command line interface can be used to easily run server scans: -t www.example.com

Usage: zap-baseline.py -t <target> [options]
    -t target         target URL including the protocol, eg https://www.example.com
Options:
    -h                print this help message
    -c config_file    config file to use to INFO, IGNORE or FAIL warnings
    -u config_url     URL of config file to use to INFO, IGNORE or FAIL warnings
    -g gen_file       generate default config file (all rules set to WARN)
    -m mins           the number of minutes to spider for (default 1)
    -r report_html    file to write the full ZAP HTML report
    -w report_md      file to write the full ZAP Wiki (Markdown) report
    -x report_xml     file to write the full ZAP XML report
    -J report_json    file to write the full ZAP JSON document
    -a                include the alpha passive scan rules as well
    -d                show debug messages
    -P                specify listen port
    -D                delay in seconds to wait for passive scanning
    -i                default rules not in the config file to INFO
    -I                do not return failure on warning
    -j                use the Ajax spider in addition to the traditional one
    -l level          minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
    -n context_file   context file which will be loaded prior to spidering the target
    -p progress_file  progress file which specifies issues that are being addressed
    -s                short output format - dont show PASSes or example URLs
    -T                max time in minutes to wait for ZAP to start and the passive scan to run
    -z zap_options    ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
    --hook            path to python file that define your custom hooks

Chart Configuration

KeyTypeDefaultDescription
cascadingRules.enabledbooltrueEnables or disables the installation of the default cascading rules for this scanner
parser.image.repositorystring"docker.io/securecodebox/parser-zap"Parser image repository
parser.image.tagstringdefaults to the charts versionParser image tag
parser.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
scanner.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
scanner.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scanner.envFromlist[]Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
scanner.extraContainerslist[]Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scanner.extraVolumeMountslist[{"mountPath":"/zap/wrk","name":"zap-workdir"}]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.extraVolumeslist[{"emptyDir":{},"name":"zap-workdir"}]Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.image.repositorystring"owasp/zap2docker-stable"Container Image to run the scan
scanner.image.tagstringnildefaults to the charts appVersion
scanner.nameAppendstringnilappend a string to the default scantype name.
scanner.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scanner.securityContextobject{}Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/

Examples

demo-bodgeit-baseline-scan

# SPDX-FileCopyrightText: 2020 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "zap-baseline-scan-bodgeit"
  labels:
    organization: "OWASP"
spec:
  scanType: "zap-baseline-scan"
  parameters:
    # target URL including the protocol
    - "-t"
    - "http://bodgeit.demo-targets.svc:8080"
    # show debug messages
    - "-d"
    # the number of minutes to spider for (default 1)
    - "-m"
    - "2"

demo-bodgeit-full-scan

# SPDX-FileCopyrightText: 2020 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "zap-full-scan-bodgeit"
  labels:
    organization: "OWASP"
spec:
  scanType: "zap-full-scan"
  parameters:
    # target URL including the protocol
    - "-t"
    - "http://bodgeit.demo-targets.svc:8080"
    # include the alpha active and passive scan rules as well
    - "-a"                
    # show debug messages
    - "-d"
    # the number of minutes to spider for (default 1)
    - "-m"
    - "3"

demo-juice-shop-baseline-scan

# SPDX-FileCopyrightText: 2020 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "zap-baseline-scan-juiceshop"
  labels:
    organization: "OWASP"
spec:
  scanType: "zap-baseline-scan"
  parameters:
    # target URL including the protocol
    - "-t"
    - "http://juice-shop.demo-targets.svc:3000"
    # show debug messages
    - "-d"
    # use the Ajax spider in addition to the traditional one
    - "-j"                
    # the number of minutes to spider for (default 1)
    - "-m"
    - "3"

demo-juice-shop-full-scan

# SPDX-FileCopyrightText: 2020 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "zap-full-scan-juiceshop"
  labels:
    organization: "OWASP"
spec:
  scanType: "zap-full-scan"
  parameters:
    # target URL including the protocol
    - "-t"
    - "http://juice-shop.demo-targets.svc:3000"
    # include the alpha active and passive scan rules as well
    - "-a"                
    # show debug messages
    - "-d"
    # use the Ajax spider in addition to the traditional one
    - "-j"                
    # the number of minutes to spider for (default 1)
    - "-m"
    - "3"

demo-petstore-api-scan

# SPDX-FileCopyrightText: 2020 iteratec GmbH
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "zap-api-petstore"
  labels:
    organization: "OWASP"
spec:
  scanType: "zap-api-scan"
  parameters:
    # target URL including the protocol
    - "-t"
    - "http://swagger-petstore.demo-targets.svc/v2/swagger.json"
    # format can either 'openapi' or 'soap'
    - "-f"
    - "openapi"
    # include the alpha passive scan rules as well
    # - "-a"
    # show debug messages
    - "-d"
    # the number of minutes to spider for (default 1)
    - "-m"
    - "3"