add Zed Attack Proxy baseline and API penetration testing support

[mrister]

Partially resolves (https://github.com/nearform/pathfinders/issues/165)

Set up zaproxy via Docker weekly image Add 3 npm tasks to run the baseline, api or all (both) pen testing commands Update gh-docs to include reports generated from pentest commands Touches on https://github.com/nearform/pathfinders/issues/201

Had to do a shell script as due to parameters passed to docker and the spawn function were not working together (due to spaces in path).

[coveralls]

Coverage decreased (-0.04%) to 93.186% when pulling bc65768213e5ef45e09a5636150bdf49c607170a on ci-pentest-zaproxy into f7538655faf92e4116bc218e38e1fb142676c8cf on master.

[mrister]

I also wasn't able to fully render the documentation locally using GitHub instructions via jekyll as it seems it has some problems loading the _sidebar.md that I needed to edit so that was done a bit "blindly". If you have any suggestion on how to test it better locally I'd be happy to try.

[cianfoley-nearform]

@mrister I ran both commands this morning, both ran fine (as you said took a lot of time and so probably cannot be part of CI)

I got some warnings on API pen test:

High: Source Code Disclosure - SVN Medium: Backup File Disclosure Low: X-Content-Type-Options Header Missing Informational: A Client Error response code was returned by the server

LGTM in terms of merging, did you get same errors and do we need to address before merge?

[mrister]

@cianfoley-nearform I just need to update the docs and this is it. Yes there are some errors worth investigating but they do not need to be part of this PR, I'll open separate issues on the repo for them if that is ok?

[mrister]

Docs updated

[mrister]

Issue about the problems found during scan is here: https://github.com/nearform/udaru/issues/546

[mrister]

@mihaidma thanks for the feedback. Update the pr with fixes.