OWASP Zap Scan

www.zaproxy.org

In the past, security was stuck in the final stage of development, meaning that it was shifted quite right. That was not as problematic when development cycles lasted so long. However, nowadays, DevOps is getting faster and faster but security is lagging behind. To overcome this issue, security should be shifted as left as possible. Thus, you should put a security stage during your build so as to achieve a far more secure environment. Here come some open source tools for this approach one of which is Owasp Zap.

```yaml resources: repositories: - repository: type: git name: / ref: refs/heads/master

trigger: none

stages:

• stage: ‘buildstage’ jobs:
  • job: ‘buildjob’ pool: vmImage: ‘ubuntu-latest’ steps:
    • checkout: self

    • checkout:

    • bash: docker run -d -p : displayName: 'App Container'

    • bash: | chmod -R 777 ./ docker run –rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t http://$(ip -f inet -o addr show docker0 | awk ‘{print $4}’ | cut -d ‘/’ -f 1): -x xml_report.xml true displayName: 'Owasp Container Scan'

    • powershell: | $XslPath = “/xml_to_nunit.xslt" $XmlInputPath = "xml_report.xml" $XmlOutputPath = "converted_report.xml" $XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform $XslTransform.Load($XslPath) $XslTransform.Transform($XmlInputPath, $XmlOutputPath) displayName: 'PowerShell Script'
    • task: PublishTestResults@2 displayName: ‘Publish Test Results’ inputs: testResultsFormat: ‘NUnit’ testResultsFiles: ‘converted_report.xml’ ```plaintext

Test and then you will see the test results

**Note: **Ignore the warnings that were created during “Publish Test Results” task

Security Testing with Owasp Zap Task

\

```yaml trigger: none

stages:

• stage: ‘buildstage’ jobs:
  • job: ‘buildjob’ pool: vmImage: ‘ubuntu-latest’ steps:

    • checkout: self

    • bash: docker run -d -p : displayName: 'App Container'

    • task: owaspzap@1 inputs: aggressivemode: true threshold: ‘50’ port: ‘' displayName: 'Owasp Scan'

    • bash: | sudo npm install -g handlebars-cmd sudo cat «EOF > owaspzap/nunit-template.hbs {{#each site}} owaspzap/report.html {{#each alerts}} {{{desc}}} <![CDATA[ Solution: {{{solution}}} Reference: {{{reference}}} instances:{{#each instances}}
      • {{uri}}
        • {{method}} {{#if evidence}}- {{{evidence}}}{{/if}} {{/each}}]]> </stack-trace> </failure>

        </test-case> {{/each}} </test-suite>

      </test-run> {{/each}} EOF displayName: ‘Owasp Nunit Template’

    • bash: ‘handlebars owaspzap/report.json < owaspzap/nunit-template.hbs > owaspzap/test-results.xml’ displayName: ‘Generate Nunit type file’

    • task: PublishTestResults@2 displayName: ‘Publish Test Results’ inputs: testResultsFormat: ‘NUnit’ testResultsFiles: ‘owaspzap/test-results.xml’ ```plaintext

After executing the pipeline, you can see the test results

Note: Ignore the warnings that were created during “Publish Test Results” task