Owasp Zap Scanner
This project is a Azure DevOps task that allows users to integrate Owasp Zap security analysis into their VSTS pipelines.
Using the Owasp Zap Scanner
Follow the instructions below to add and configure the Owasp Zap Scanner in your build/release pipeline.
Prerequisites
- You need to have OWASP Zed Attach Proxy installed (e.g., on onpremise or on a virtual machine) and exposed so it can be accessed over the internet. The following article Installing & Configuring Owasp Zap on an Azure Virtual Machine provides a detailed guide on how to do it.
- Obtain the API Key required to access the ZAP API by following the instructions on the Official Documentation.
Add the Owasp Zap Scanner
Install the Owasp Zap Scanner in your Visual Studio Team Services account and search for the task in the available tasks. The task will appear in the Test section of the task list. Add it to your build/release task.
Required Options
- ZAP API Url : The fully qualified domain name (FQDN) with out the protocol. (Eg. zap.example.com)
- API Key : The API key for ZAP. Details about obtaining the API can be found on the Official Documentation
- Target URL : Target URL where the active scan is performed against.
Optional Options
- New Session : Creates a new session, optionally overwriting existing files. If a relative path is specified it will be resolved against the 'session' directory in ZAP 'home' dir.
- New Context : Create a new Context, optionally.
Ajax Spider Scan Options
This configuration section includes the parameters that need to be sent to perform the active scan against the target.
Available Options
- Execute Ajax Spider Scan : Enable to run a spider scan on the target.
- Subtree Only : (Optional) A boolean (true/false) indicating whether or not the crawl should be constrained to a specific path (default value is false). Enable to use the nodes underneath the one specified target to seed the Ajax spider.
- in Scope : (Optional) A boolean (true/false) indicating whether or not the scan should be restricted to 'inScope' only resources (default value is false). Enable to use the nodes underneath the one specified target to seed the Ajax spider.
- Context Name : (Optional) The name for any defined context. If the value does not match a defined context then an error will occur.
Spider Scan Options
This configuration section includes the parameters that need to be sent to perform the active scan against the target.
Available Options
- Execute Spider Scan : Enable to run a spider scan on the target.
- Recurse : (Optional) Enable to use the nodes underneath the one specified target to seed the spider.
- Subtree Only : (Optional) Enable to restrict the spider under the target url subtree.
- Context Name : (Optional) The name for any defined context. If the value does not match a defined context then an error will occur.
- Max Children : (Optional) Set to limit the number of children scanned.
Open Api Scan Options
This configuration section includes the parameters that need to be sent to perform the active scan against the target.
Available Options
Active Scan Options
This configuration section includes the parameters that need to be sent to perform the active scan against the target.
Available Options
- Execute Active Scan : Enable to run an active scan on the target.
- Context ID : (Optional) Context identifier of the Scan context.
- Recurse : (Optional) Set recurse option to scan URLs under the given target URL.
- In Scope Only : (Optional) Set In Scope only to true to constrain the scan to URLs that are in scope (ignored if a Context is specified).
- Scan Policy Name : (Optional) Scan Policy Name allows to specify the scan policy (if none is given it uses the default scan policy).
- Method : (Optional) Allow you to select a given request in conjunction with the given URL.
- POST Data : (Optional) Allow you to select a given request in conjunction with the given URL.
Configure Verification
This configuration section includes the parameters that need to be sent to perform the active scan against the target.
Available Options
- Enable Verifications: Enable to add thresholds for security risk types and fail the build if the threshold is exceeded.
- High Risk Alert Threshold: Maximum number of allowed High Risk Alerts. The build will fail if the number of high risk alerts equals or exceeds this threshold.
- Medium Risk Alert Threshold: Maximum number of allowed Medium Risk Alerts. The build will fail if the number of medium risk alerts equals or exceeds this threshold.
- Low Risk Alert Threshold: Maximum number of allowed Low Risk Alerts. The build will fail if the number of low risk alerts equals or exceeds this threshold.
Configure Reports
This configuration section includes the parameters that need to be sent to perform the active scan against the target.
Available Options
- Report Type : Select the type of report you want generated. Available types are HTML, XML, Markdown or All.
- Destination Folder : The destination folder that the report file is created. You can use variables. Eg. $(agent.builddirectory).
- Report Filename : Name of the report file, without the extension. Extension is determined by the Report Type. Eg. OWASP-ZAP-Report-2017-00-00.
Additional
On Windows servers you can complement the use of this extension with:
https://marketplace.visualstudio.com/items?itemName=solucionespsg.OwaspZapOnPremiseStartStop
With this extension you will be able to remotely start a new Owazap session on a new port, scan the URL and then stop the started session.
Contributing to Owasp Zap Scanner for Azure DevOps
Introduction
Welcome to the Owasp Zap Scanner for Azure DevOps repository! This repository is designed to help you get started with using the Owasp Zap Scanner tool in your Azure DevOps pipeline. In this README, you will find information on how to contribute to this project, as well as how to use the tool in your pipeline.
Found a Bug?
If you find a bug, please check the currently listed Issues [^1^][1]. If the bug is not listed, please open a new issue [^1^][1] and include a detailed description of the bug.
Fixed a Bug?
If you have fixed a bug, please open a new pull request with the fix.
Add/Suggest a New Feature, or Change Existing One?
If you would like to add or suggest a new feature, or change an existing one, please open a new issue [^1^][1] and include a detailed description of the feature or change.
Contributing Guidelines
We welcome contributions from the community! To contribute to this project, please follow these guidelines:
- Fork this repository.
- Create a new branch for your changes.
- Make your changes and commit them to your branch.
- Push your changes to your forked repository.
- Open a new pull request with your changes.
Current Contributors
A special thanks to all the contributors [^1^][1] who have helped make this project possible.