Docker build file providing an Image exposing some web app scan in order to use the image as command line tools.
Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
Dockerfile
LICENSE
README.md
scan.sh

README.md

Objective

Docker build file providing an image exposing some web app scan in order to use the image as command line tools.

Motivation

Final goal is to use the docker image in order to integrate security web application security scanners into a Continuous Integration Platform.

Note

ZAP has been removed because the project already propose a really good Docker image with CI/CD integration.

Image

Location

A automated build has been defined on Docker forge in order to build and push image in Docker Hub repository

The docker image name is righettod/docker-webappsecscanbox.

Run command example

Call syntax:

mkdir /tmp/reports
docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox [SCANNER_ID] [SCANNER_ARGS]

Note:

  • --mount argument is used to map folder between host and container in order to obtains a location in which results will be wrote by the used scanner and retrievable from the host.
  • Create the folder on the Docker Host before the run the image if it do not exists.

Display help:

docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox

Scan using Nikto

docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox NIK -host [TARGET_URL] \
           -F htm -output /home/auditor/nikto-scan.html

After the scan, the report will be available in the file /tmp/reports/nikto-scan.html on the Docker Host.

Scan using Arachni

# Run the scan
docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox ARS [TARGET_URL] \
           --report-save-path=/home/auditor/arachni_scan.afr
# Generate the report (here in HTML)
docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox ARR /home/auditor/arachni_scan.afr \
           --report=html:outfile=/home/auditor/arachni_scan_result.zip

After the second command, the report will be available in the file /tmp/reports/arachni_scan_result.zip on the Docker Host.

Scan using TestSSL

docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox TLS [TARGET_URL]

After the scan, the report will be available in the file /tmp/reports/testssl_scan.html on the Docker Host.