Skip to content
A Docker build for OWASP Zed Attack Proxy to be used in CI/CD pipelines
Python JavaScript Shell Dockerfile
Branch: master
Clone or download
InfoSec812 Merge pull request #8 from dhartford/patch-1
Update README.md for -x report usage with sonarqube plugin
Latest commit 76f78d0 Jan 14, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
configuration Added Jenkins slave files Aug 2, 2017
policies Ported to Fedora for OpenShift Jul 15, 2017
scripts/scripts/httpsender Ported to Fedora for OpenShift Jul 15, 2017
zap Debugging permissions Aug 4, 2017
.dockerignore Ignore screenshots for docker build Aug 3, 2017
.xinitrc Ported to Fedora for OpenShift Jul 15, 2017
Demo_Script.md Merge branch 'master' of https://github.com/rht-labs/owasp-zap-openshift Aug 4, 2017
Dockerfile
Jenkins_Available_Plugins_HTML_Publisher.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Build_Scheduled.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Deployed.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Disable_Concurrent_Builds.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Install_And_Restart.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Kube_Slave_Config.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Kubernetes_Cloud.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Main_Page.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Manage_Plugins.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Manage_System.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_New_Pipeline.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_OpenShift_Login.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Scan_Console_Output.png Add screenshots to Demo Script Aug 3, 2017
Jenkins_Set_Pipeline_Script.png
Jenkins_ZAP_Report_Link.png Add screenshots to Demo Script Aug 3, 2017
Kube_Pod_Template.png Cropped image Aug 2, 2017
README.md Update README.md Jan 14, 2019
ZAP_Build_Log.png
ZAP_Image_Stream.png Add screenshots to Demo Script Aug 3, 2017
ZAP_Report_Page.png
webswing.config Ported to Fedora for OpenShift Jul 15, 2017

README.md

OWASP ZAP Image For OpenShift

Overview

The public docker registry version of OWASP's Zed Attack Proxy (ZAP) is not compatible with OpenShift without using privleged containers. This Docker image resolves that issue.

Running

The semantics of running this are identical to the public OWASP ZAP docker image, so look at the Wiki page HERE.

Deploying In OpenShift

oc new-build -l 'role=jenkins-slave' https://github.com/rht-labs/owasp-zap-openshift.git

Configuring In OpenShift Jenkins

  1. Log in to Jenkins with an account which has permissions to manage the Jenkins instance
  2. Install the following plugins:
    1. HTML Publisher Plugin
  3. Restart Jenkins
  4. Log back in to Jenkins and navigate to Manage Jenkins -> Configure System
  5. Scroll down to the Kubernetes cloud configuration
  6. Add a new "Pod Template" as shown below: KubePodTemplate

Using it in your Jenkinsfile

stage('Get a ZAP Pod') {
    node('zap') {
        stage('Scan Web Application') {
            dir('/zap') {
                def retVal = sh returnStatus: true, script: '/zap/zap-baseline.py -r baseline.html -t http://<some-web-site>'
                publishHTML([allowMissing: false, alwaysLinkToLastBuild: false, keepAll: true, reportDir: '/zap/wrk', reportFiles: 'baseline.html', reportName: 'ZAP Baseline Scan', reportTitles: 'ZAP Baseline Scan'])
                echo "Return value is: ${retVal}"
            }
        }
    }
}

Use it in Jenkinsfile for usage with Sonarqube ZAP plugin (specifically -x report, no directory, no special chars in name)

stage('Get a ZAP Pod') {
    node('zap') {
        stage('Scan Web Application') {
          sh "/zap/zap-baseline.py -d -m 5 -x zaprpt.xml -t http://<some-web-site>"
//no mvn, so stash it and unstash later in pipeline on a maven node instead of ZAP node... 
//sh "mvn sonar:sonar -Dsonar.zaproxy.reportPath=/zap/wrk/zaprpt.xml"
          stash name: "zaproxyreport", includes: "/zap/wrk/zaprpt.xml"
        }
    }
}

stash/copy/pull the file from: /zap/wrk/zaprpt.xml

You can’t perform that action at this time.