This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update ZAP command in circleci (#3321)
* Only fail baseline tests when FAILs are found
- Loading branch information
1 parent
8874729
commit 8032330
Showing
2 changed files
with
47 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# zap-baseline rule configuration file | ||
# change FAIL to IGNORE to ignore rule or FAIL to fail if rule matches | ||
# only the rule identifiers are used - the names are just for info | ||
2 IGNORE (Private IP Disclosure) | ||
10010 FAIL (Cookie No HttpOnly Flag) | ||
10011 FAIL (Cookie Without Secure Flag) | ||
10012 IGNORE (Password Autocomplete in browser) | ||
10016 FAIL (Web Browser XSS Protection Not Enabled) | ||
# Warn on 10017 for now, need to decide how to handle SRI's better | ||
10017 WARN (Cross-Domain JavaScript Source File Inclusion) | ||
10019 FAIL (Content-Type Header Missing) | ||
10020 FAIL (X-Frame-Options Header Not Set) | ||
10021 FAIL (X-Content-Type-Options Header Missing) | ||
10023 IGNORE (Information Disclosure - Debug Error Messages) | ||
10026 IGNORE (HTTP Parameter Override) | ||
10027 IGNORE (Information Disclosure - Suspicious Comments) | ||
10031 IGNORE (User Controllable HTML Element Attribute - Potential XSS) | ||
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative)) | ||
10035 FAIL (Strict-Transport-Security Header Not Set) | ||
10036 IGNORE (Server Leaks Version Information via "Server" HTTP Response Header Field) | ||
10037 IGNORE (Server Leaks Information via "X-Powered-By" HTTP Response Header Field) | ||
10038 FAIL (Content Security Policy (CSP) Header Not Set) | ||
10039 IGNORE (X-Backend-Server Header Information Leak) | ||
10040 FAIL (Secure Pages Include Mixed Content) | ||
10049 IGNORE (Storable and Cacheable Content) | ||
10050 IGNORE (Retrieved from Cache) | ||
10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak) | ||
10055 WARN (CSP Scanner: style-src unsafe-inline) | ||
10094 IGNORE (Base64 Disclosure) | ||
10096 IGNORE (Timestamp Disclosure) | ||
10097 IGNORE (Hash Disclosure) | ||
10098 FAIL (Cross-Domain Misconfiguration) | ||
10099 IGNORE (Source Code Disclosure - SQL) | ||
10202 FAIL (Absence of Anti-CSRF Tokens) | ||
# Previous ID, still in released version | ||
40014 FAIL (Absence of Anti-CSRF Tokens) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters