maheese
commented
4 years ago That looks great! Doing a full scan of the web app and api are good ideas. Let's create separate issues for those.
Closed j-tafoya closed 4 years ago
maheese
commented
4 years ago That looks great! Doing a full scan of the web app and api are good ideas. Let's create separate issues for those.
The addition of an OWASP ZAP baseline scan to the github actions workflow:
"The ZAP baseline action scans a target URL for vulnerabilities and maintains an issue in GitHub repository for the identified alerts." This baseline scan is a passive scan and does not 'attack' the website. Thus it runs faster and is intended for CI/CD purposes. As it stands, it runs the passive scan, creates an "artifact" detailing the issues and suggestions for improvement, and then creates an Issue in github with these results.
I think we could add a "full scan" that does 'attack' on a cron job or manually using the ZAP web client. There is also an "api scan" that I think would be useful to point at the api and uses OpenAPI / Swagger, which would plug in nicely.
See this link for more info on the various ZAP docker images we could spin up to do this. Also, see this for info on how I created the action.
Currently, this scan runs on the app after it is deployed to cloud.gov. After initial investigation, it appears we cannot spin up the app within docker in the action, then spin up the zap container to communicate with it. I'll test out a way this can be done in the future. Currently, the actions must run sequentially and the current app is spun up with --rm to remove the container once it has finished it's tests, which make sense, but would inhibit further communication with it.