Skip to content

Releases: kerberosmansour/zaprun

v0.1.0 — first signed and attested release

12 May 08:37
@kerberosmansour kerberosmansour
v0.1.0
2e5303e

Choose a tag to compare

View all tags
v0.1.0 — first signed and attested release Latest
Latest

First public release of zaprun: a deterministic CLI + a hardened OWASP ZAP image, both signed and attested.

What's in this release

  • Image: ghcr.io/kerberosmansour/zaprun:v0.1.0 (also published as :v0.1, :v0, the full commit SHA, and :edge for main HEAD; no :latest is published).
  • Image digest: sha256:1caa4c454beac1a5ca67bb06484282b94e43a5cd01ba772ec1a2b78a6ed4c649
  • Signature: cosign keyless via Sigstore (Fulcio cert + Rekor transparency log).
  • Attestations: SLSA Build Provenance v1, SPDX-JSON SBOM, CycloneDX-JSON SBOM — all published alongside the image.

Quick start

docker run --rm \
  -v "$PWD/output:/zap/wrk/output" \
  ghcr.io/kerberosmansour/zaprun:v0.1.0 \
  zaprun scan http://host.docker.internal:4000 --active --profile spa-pr

Verify the release

# Anyone can pull — no auth needed.
docker pull ghcr.io/kerberosmansour/zaprun:v0.1.0

# Verify SLSA Build Provenance + SBOMs.
gh attestation verify \
  oci://ghcr.io/kerberosmansour/zaprun@sha256:1caa4c454beac1a5ca67bb06484282b94e43a5cd01ba772ec1a2b78a6ed4c649 \
  --repo kerberosmansour/zaprun

# Verify the cosign keyless signature.
cosign verify \
  --certificate-identity-regexp '^https://github.com/kerberosmansour/zaprun/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/kerberosmansour/zaprun@sha256:1caa4c454beac1a5ca67bb06484282b94e43a5cd01ba772ec1a2b78a6ed4c649

Supply chain

  • Base: digest-pinned Wolfi base.
  • ZAP: 2.17.0 release tarball, SHA-256-checked in the Dockerfile.
  • Add-ons: network-beta-0.27.0 (checksum-pinned). See .trivyignore for two HIGH Netty CVEs currently suppressed pending upstream rebundle.
  • CLI: Rust workspace under crates/, MIT-licensed.
  • Build: GitHub Actions with SLSA Build L3 isolation — id-token: write lives only in the reusable signing workflow, not in the build job.

What this image is for

DAST scans in CI: deterministic Automation Framework plans, stable artifact contract (plan.yaml, run.json, summary.json, coverage.json, capabilities.json, observations.json, plus ZAP's JSON/HTML/SARIF reports), and no reliance on live add-on installs at scan time.

Documentation

What's next

The maintenance loop is wired up: .github/workflows/scheduled-image-rebuild.yml re-builds the image weekly (Mondays 06:00 UTC) and re-runs the Trivy scans; Renovate will open dependency PRs (Cargo + GHA SHA pins) on the same cadence once the Renovate App is installed on the repo.

Assets 2
Loading