Skip to main content

ZAP

zap logo

License Apache-2.0GitHub release (latest SemVer)OWASP Incubator ProjectArtifact HUBGitHub Repo starsTwitter Follower

What is OWASP ZAP?#

The OWASP Zed Attack Proxy (ZAP) is one of the worldโ€™s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.

To learn more about the ZAP scanner itself visit https://www.zaproxy.org/.

Deployment#

The zap chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)helm upgrade --install zap secureCodeBox/zap

Scanner Configuration#

The following security scan configuration example are based on the ZAP Docker Scan Scripts. By default, the secureCodeBox ZAP Helm Chart installs all three ZAP scripts: zap-baseline, zap-full-scan & zap-api-scan. Listed below are the arguments supported by the zap-baseline script, which are mostly interchangeable with the other ZAP scripts. For a more complete reference check out the ZAP Documentation and the secureCodeBox based ZAP examples listed below.

The command line interface can be used to easily run server scans: -t www.example.com

Usage: zap-baseline.py -t <target> [options]    -t target         target URL including the protocol, eg https://www.example.comOptions:    -h                print this help message    -c config_file    config file to use to INFO, IGNORE or FAIL warnings    -u config_url     URL of config file to use to INFO, IGNORE or FAIL warnings    -g gen_file       generate default config file (all rules set to WARN)    -m mins           the number of minutes to spider for (default 1)    -r report_html    file to write the full ZAP HTML report    -w report_md      file to write the full ZAP Wiki (Markdown) report    -x report_xml     file to write the full ZAP XML report    -J report_json    file to write the full ZAP JSON document    -a                include the alpha passive scan rules as well    -d                show debug messages    -P                specify listen port    -D                delay in seconds to wait for passive scanning    -i                default rules not in the config file to INFO    -I                do not return failure on warning    -j                use the Ajax spider in addition to the traditional one    -l level          minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs    -n context_file   context file which will be loaded prior to spidering the target    -p progress_file  progress file which specifies issues that are being addressed    -s                short output format - dont show PASSes or example URLs    -T                max time in minutes to wait for ZAP to start and the passive scan to run    -z zap_options    ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"    --hook            path to python file that define your custom hooks

Requirements#

Kubernetes: >=v1.11.0-0

The secureCodeBox provides two different scanner charts (zap, zap-advanced) to automate ZAP WebApplication security scans. The first one zap comes with three scanTypes:

  • zap-baseline-scan
  • zap-full-scan
  • zap-api-scan

All three scanTypes can be configured via CLI arguments which are somehow a bit limited for some advanced usecases, e.g. using custom zap scripts or configuring complex authentication settings.

That's why we introduced this zap-advanced scanner chart, which introduces extensive YAML configuration options for ZAP. The YAML configuration can be split in multiple files and will be merged at start.

Values#

KeyTypeDefaultDescription
cascadingRules.enabledbooltrueEnables or disables the installation of the default cascading rules for this scanner
parser.envlist[]Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
parser.image.repositorystring"docker.io/securecodebox/parser-zap"Parser image repository
parser.image.tagstringdefaults to the charts versionParser image tag
parser.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
scanner.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy)
scanner.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scanner.envFromlist[]Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables)
scanner.extraContainerslist[]Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scanner.extraVolumeMountslist[{"mountPath":"/zap/wrk","name":"zap-workdir"}]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.extraVolumeslist[{"emptyDir":{},"name":"zap-workdir"}]Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scanner.image.repositorystring"owasp/zap2docker-stable"Container Image to run the scan
scanner.image.tagstringnildefaults to the charts appVersion
scanner.nameAppendstringnilappend a string to the default scantype name.
scanner.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scanner.securityContextobject{}Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scanner.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/

License#

License

Code of secureCodeBox is licensed under the Apache License 2.0.

Examples#

demo-bodgeit-baseline-scan#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-baseline-scan-bodgeit"  labels:    organization: "OWASP"spec:  scanType: "zap-baseline-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://bodgeit.demo-targets.svc:8080"    # show debug messages    - "-d"    # the number of minutes to spider for (default 1)    - "-m"    - "2"

demo-bodgeit-full-scan#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: "zap-full-scan-bodgeit"  labels:    organization: "OWASP"spec:  scanType: "zap-full-scan"  parameters:    # target URL including the protocol    - "-t"    - "http://bodgeit.demo-targets.svc:8080"    # include the alpha active and passive scan rules as well    - "-a"                    # show debug messages    - "-d"    # the number of minutes to spider for (default 1)    - "-m"    - "3"