How to call OWASP ZAP in new YAML pipeline

[bdelaney]

in new AZ Devops (free version, like old VSTS but with dev.azure.com) the default pipeline is YAML. I can turn off that preview feature to find the task in the old GUI method, but would like to start using YAML pipelines. How to call OWASP ZAP using that?

[kasunkv]

Hi @bdelaney, Thanks for the question.. One trick you can do is to configure the OWASP Zap task using the designer and copy the generated YAML in to your YAMP pipeline definition file. You can copy the YAML using this designer by Clicking on the View YAML button

Also here is a sample YAML definition

`variables:
Zap.Url: 'zap.example.com'
Zap.ApiKey: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

steps:

• task: kasunkodagoda.owasp-zap-scan.owasp-zap-scan.OwaspZapScan@2
  displayName: 'OWASP ZAP Scan'
  inputs:
  ZapApiUrl: '$(Zap.Url)'
  ZapApiKey: '$(Zap.ApiKey)'
  TargetUrl: 'https://target.example.com'
  ExecuteSpiderScan: true
  RecurseSpider: true
  SubtreeOnly: false
  ExecuteActiveScan: true
  InScopeOnly: false
  EnableVerifications: false
  ReportFileDestination: '$(Build.ArtifactStagingDirectory)'
  ReportFileName: 'OWASP-ZAP-Report-$(Build.BuildId)'
  `

Also as an improvement, I will add the YAML definition for the task into the documentation as well. Thanks for bringing this to my attention. :)