SafeSCARF ZAP

What is ZAproxy (DAST application scanner)

ZAProxy is used to perform penetration tests to find vulnerabilities in web applications.

ZAProxy creates a proxy server and makes the website traffic pass through the server. Scanners inside ZAP help to intercept the vulnerabilities.

Some basic features:

Snippets for ZAP

Don’t forget to read as well general instructions. This snippet uses the variable TARGET which refers to the hostname which we would like to scan by ZAP.

---
scan_appscan:
  stage: test
  image: registry.safescarf.pan-net.cloud/zap2docker-weekly:latest
  variables:
    TARGET: "https://vulnerable.host.foo.bar/"
    SAFESCARF_HOST: "customer.safescarf.pan-net.cloud"
    SAFESCARF_ENG_ID: "xx"
  before_script:
    - printf "$CI_PROJECT_DIR\n"
    - mkdir -p /zap/wrk
  script:
    - /zap/zap-baseline.py -t $TARGET -m 10 -a -x report.xml || true
    - ci-connector upload-scan --scanner "ZAP Scan" -e $SAFESCARF_ENG_ID -f /zap/wrk/report.xml

There are available 2 scanning images zap2docker-weekly and zap2docker-stable. Both keep an updated database of vulnerabilities. Additionally, the first contains a new check which can not break your tests but they use to generate more false positives. Feel free to choose between:

...
  image: registry.safescarf.pan-net.cloud/zap2docker-weekly:latest
...

and

...
  image: registry.safescarf.pan-net.cloud/zap2docker-stable:latest
...