Jenkins Pipeline for security scanning with owasp zap periodically inside Docker
features:
- supports concurrent runs
- supports scanning using authentication (stored inside context files)
- support for exclude regex
- publishes scan results in json, xml and html
- support for cron triggers
- portable because inside Docker
dockerandjqinstalled on jenkins node- in order to run scans periodically via a cron expression, you need parameterized-scheduler jenkins plugin
- to allow rendering of results file, you need htmlpublisher jenkins plugin
to add a new target you need to
- add it to Jenkinsfile variable
targets - optional: add a context file to folder zap-context see docs
- optional: if you want to run periodically; add a line to Jenkinsfile -> pipeline -> triggers -> parameterizedCron
due to a know bug, the zap-cli does not respect the <excregexes> section of zap context files
so there is a slightly modified implementation to work around this.
You simply need to place a file called <target>.context.exclude in contexts with one exclude regex per line
Please refer to the examples.