What is ZAproxy (DAST application scanner)
ZAProxy is used to perform penetration tests to find vulnerabilities in web applications.
ZAProxy creates a proxy server and makes the website traffic pass through the server. Scanners inside ZAP help to intercept the vulnerabilities.
Some basic features:
Snippets for ZAP
Don’t forget to read as well general instructions. This snippet uses the variable
TARGET which refers to the hostname which we would like to scan by ZAP.
--- scan_appscan: stage: test image: registry.safescarf.pan-net.cloud/zap2docker-weekly:latest variables: TARGET: "https://vulnerable.host.foo.bar/" SAFESCARF_HOST: "customer.safescarf.pan-net.cloud" SAFESCARF_ENG_ID: "xx" before_script: - printf "$CI_PROJECT_DIR\n" - mkdir -p /zap/wrk script: - /zap/zap-baseline.py -t $TARGET -m 10 -a -x report.xml || true - ci-connector upload-scan --scanner "ZAP Scan" -e $SAFESCARF_ENG_ID -f /zap/wrk/report.xml
There are available 2 scanning images
zap2docker-stable. Both keep an updated database of vulnerabilities. Additionally, the first contains a new check which can not break your tests but they use to generate more false positives. Feel free to choose between:
... image: registry.safescarf.pan-net.cloud/zap2docker-weekly:latest ...
... image: registry.safescarf.pan-net.cloud/zap2docker-stable:latest ...