Security scanning with ZAP

[Piedone]

Is your feature request related to a problem? Please describe.

Sometimes we are notified about security issues by a community member, and it also happens that people run security scans for an Orchard Core app. However, we don't have a planned and especially continuous way to ensure that we don't introduce security issues.

Describe the solution you'd like

While ultimately, only an in-depth and application-specific pentest can reveal all security issues, we could still utilize Zed Attack Proxy (ZAP) to run scans automatically. ZAP is the world's most widely used web app security scanner, and a fellow open-source project I can recommend.

Just now, we've released a feature for our UI Testing Toolbox to run ZAP scans from a UI test of an Orchard Core app, see the announcement here and docs here. A security scan can be executed with as little as this xUnit test:

[Fact]
public Task BasicSecurityScanShouldPass() => ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync());

We could use this feature to run a full security scan on Orchard Core before releases. For this, we could have a separate repository with an Orchard Core solution using the latest preview packages. We could even run this more frequently, even weekly, and then the package references can be kept up to date automatically. It could even create issues for any new findings.

Also, while we’re at it, it could run some smoke testing with Basic Orchard features tests and Monkey tests.

Related:

• UI testing with C# tests and Selenium with the Lombiq UI Testing Toolbox #12834
• Offer security checks (OSOE-351) Lombiq/UI-Testing-Toolbox#128

Describe alternatives you've considered

A bare-bones ZAP integration can be done with e.g. the ZAP Action Full Scan GitHub Actions action, that runs the Full Scan packages scan of ZAP. However, this needs a running app, and fine-tuned configuration and assertions are not available.