We are trying to integrate OWASP ZAP scans to our Build Cycle. When a new build reaches the QA team, they run an automation tool similar to Selenium, which opens a Firefox web-browser in a Windows machine and runs their test cases. Being completely new to ZAP, this is what I have setup now to get the scan results from those tests regularly.
-
Installed the ZAP tool in a Linux machine and it is running in
daemon mode with an api-key on port 8080
-
Made changes in Firefox settings in the Automation Test machine so
that each new Firefox profiles opened by Selenium will have the proxy pointed to <IP_of_ZAP_Machine:8080>.
-
A cronjob will run every midnight that does the following in this order:
-
Collects the URLs scanned by calling the URL
http://IP_of_ZAP_Machine:8080/XML/core/view/sites/?zapapiformat=XML
-
Generates a list of URLs which shows alerts for each ‘sites’
obtained from the previous step.
Example: http://IP_of_ZAP_Machine:8080/HTML/core/view/alerts/?zapapiformat=HTML&baseurl=https%3A%2F%2Fwww.example.com&start=&count=
for the results of scan on https://www.example.com
-
Downloads the scan results in HTML
format by calling all the URLs from the above step and putting all the HTMLs in a ZIP
file.
-
Emails the ZIP file to my team.
-
Loads a new session so that the results e-mailed next midnight will contain results only from the previous midnight. The new session is loaded using the URL
http://IP_of_ZAP_Machine:8080/JSON/core/action/newSession/?zapapiformat=JSON&apikey=<my_api_key>&name=${newsessionname}&overwrite=
While I am getting the scan results as expected everyday, the questions is: Am I doing it right? Is there a more correct or established way of doing this?
Note: Results from all the steps are logged into a log file for future verification.
Continue reading Integrating ZAP to SDLC. Am I doing it right?→