/
task.json
267 lines (267 loc) · 9.55 KB
/
task.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
{
"$schema": "https://raw.githubusercontent.com/AArnott/vso-agent-tasks/9b41d803a/tasks.schema.json",
"id": "dbe30948-5954-4e03-ab88-b35c3b16ec46",
"name": "OwaspZapScan",
"friendlyName": "OWASP Zed Attack Proxy Scan",
"description": "Visual Studio Team Services build/release task for running OWASP ZAP automated security tests",
"helpMarkDown": "[More Information](https://github.com/kasunkv/owasp-zap-vsts-task)",
"category": "Test",
"visibility": [
"Build",
"Release"
],
"runsOn": [
"Agent",
"MachineGroup",
"Server"
],
"author": "Kasun Kodagoda",
"version": {
"Major": 1,
"Minor": 53,
"Patch": 0
},
"demands": [
"npm"
],
"minimumAgentVersion": "1.92.0",
"groups": [
{
"name": "apiConfiguration",
"displayName": "ZAP API Configuration",
"isExpanded": true
},
{
"name": "spiderScanOptions",
"displayName": "Spider Scan Options",
"isExpanded": true
},
{
"name": "activeScanOptions",
"displayName": "Active Scan Options",
"isExpanded": true
},
{
"name": "verificationConfig",
"displayName": "Configure Verification",
"isExpanded": false
},
{
"name": "reportingConfiguration",
"displayName": "Configure Reports",
"isExpanded": false
}
],
"inputs": [
{
"name": "ZapApiUrl",
"type": "string",
"label": "ZAP API Url",
"required": true,
"groupName": "apiConfiguration",
"helpMarkDown": "The fully qualified domain name (FQDN) with out the protocol. _(Eg. zap.example.com)_"
},
{
"name": "ZapApiKey",
"type": "string",
"label": "API Key",
"required": true,
"groupName": "apiConfiguration",
"helpMarkDown": "The API key for ZAP. Details about obtaining the API can be found [here](https://github.com/zaproxy/zaproxy/wiki/FAQapikey)"
},
{
"name": "TargetUrl",
"type": "string",
"label": "Target URL",
"required": true,
"groupName": "apiConfiguration",
"helpMarkDown": "Target URL where the active scan is performed against."
},
{
"name": "ExecuteSpiderScan",
"type": "boolean",
"label": "Execute Spider",
"required": false,
"groupName": "spiderScanOptions",
"helpMarkDown": "Enable to run a spider scan on the target."
},
{
"name": "RecurseSpider",
"type": "boolean",
"label": "Recurse",
"required": false,
"groupName": "spiderScanOptions",
"helpMarkDown": "Enable to use the nodes underneath the one specified target to seed the spider.",
"visibleRule": "ExecuteSpiderScan = true"
},
{
"name": "SubtreeOnly",
"type": "boolean",
"label": "Subtree Only",
"required": false,
"groupName": "spiderScanOptions",
"helpMarkDown": "Enable to restrict the spider under the target url subtree.",
"visibleRule": "ExecuteSpiderScan = true"
},
{
"name": "ContextName",
"type": "string",
"label": "Context Name",
"required": false,
"groupName": "spiderScanOptions",
"helpMarkDown": "Set to constrain the scan to a Context.",
"visibleRule": "ExecuteSpiderScan = true"
},
{
"name": "MaxChildrenToCrawl",
"type": "string",
"label": "Max Children To Crawl",
"required": false,
"groupName": "spiderScanOptions",
"helpMarkDown": "Set to limit the number of children scanned.",
"visibleRule": "ExecuteSpiderScan = true"
},
{
"name": "ExecuteActiveScan",
"type": "boolean",
"label": "Execute Active Scan",
"required": false,
"groupName": "activeScanOptions",
"helpMarkDown": "Enable to run a active scan on the target."
},
{
"name": "ContextId",
"type": "string",
"label": "Context ID",
"required": false,
"groupName": "activeScanOptions",
"helpMarkDown": "Context identifier of the Scan context",
"visibleRule": "ExecuteActiveScan = true"
},
{
"name": "Recurse",
"type": "boolean",
"label": "Recurse",
"defaultValue": "true",
"required": false,
"groupName": "activeScanOptions",
"helpMarkDown": "Set recurse option to scan URLs under the given target URL",
"visibleRule": "ExecuteActiveScan = true"
},
{
"name": "InScopeOnly",
"type": "boolean",
"label": "In Scope Only",
"required": false,
"groupName": "activeScanOptions",
"helpMarkDown": "Set In Scope only to true to constrain the scan to URLs that are in scope (ignored if a Context is specified)",
"visibleRule": "ExecuteActiveScan = true"
},
{
"name": "ScanPolicyName",
"type": "string",
"label": "Scan Policy Name",
"required": false,
"groupName": "activeScanOptions",
"helpMarkDown": "Scan Policy Name allows to specify the scan policy (if none is given it uses the default scan policy)",
"visibleRule": "ExecuteActiveScan = true"
},
{
"name": "Method",
"type": "string",
"label": "Method",
"required": false,
"groupName": "activeScanOptions",
"helpMarkDown": "Allow you to select a given request in conjunction with the given URL",
"visibleRule": "ExecuteActiveScan = true"
},
{
"name": "PostData",
"type": "multiLine",
"label": "POST Data",
"required": false,
"groupName": "activeScanOptions",
"helpMarkDown": "Allow you to select a given request in conjunction with the given URL",
"visibleRule": "ExecuteActiveScan = true",
"properties": {
"resizable": true,
"rows" : "10"
}
},
{
"name": "EnableVerifications",
"type": "boolean",
"label": "Enable Verifications",
"required": false,
"groupName": "verificationConfig",
"helpMarkDown": "Enable to add thresholds for security risk types and fail the build if the threshold is exceeded."
},
{
"name": "MaxHighRiskAlerts",
"type": "string",
"label": "High Risk Alert Threshold",
"required": false,
"groupName": "verificationConfig",
"helpMarkDown": "Number of Maximum allowed High Risk Alerts",
"visibleRule": "EnableVerifications = true"
},
{
"name": "MaxMediumRiskAlerts",
"type": "string",
"label": "Medium Risk Alert Threshold",
"required": false,
"groupName": "verificationConfig",
"helpMarkDown": "Number of Maximum allowed Medium Risk Alerts",
"visibleRule": "EnableVerifications = true"
},
{
"name": "MaxLowRiskAlerts",
"type": "string",
"label": "Low Risk Alert Threshold",
"required": false,
"groupName": "verificationConfig",
"helpMarkDown": "Number of Maximum allowed Low Risk Alerts",
"visibleRule": "EnableVerifications = true"
},
{
"name": "ReportType",
"type": "pickList",
"label": "Report Type",
"required": false,
"groupName": "reportingConfiguration",
"helpMarkDown": "Select the type of report you want generated. Available types are *HTML*, *XML* & *Markdown*",
"options": {
"html": "HTML Report",
"xml": "XML Report",
"md": "Markdown Report"
},
"defaultValue": "html"
},
{
"name": "ReportFileDestination",
"type": "filePath",
"label": "Destination Folder",
"required": false,
"groupName": "reportingConfiguration",
"helpMarkDown": "The destination folder that the report file is created. You can use [variables](https://go.microsoft.com/fwlink/?LinkID=550988). Eg.: _$(agent.builddirectory)_",
"defaultValue": "$(System.DefaultWorkingDirectory)"
},
{
"name": "ReportFileName",
"type": "string",
"label": "Report Filename",
"required": false,
"groupName": "reportingConfiguration",
"helpMarkDown": "Name of the report file, without the extension. Extension is determined by the *Report Type*. Eg. _OWASP-ZAP-Report-2017-00-00_",
"defaultValue": "OWASP-ZAP-Report-$(Build.BuildId)"
}
],
"instanceNameFormat": "OWASP ZAP Active Scan",
"execution": {
"Node": {
"target": "dist\\owaspzapscan.js",
"argumentFormat": ""
}
},
"messages": { }
}