ZAP + Docker demo project
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is 1 commit behind lokori:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
js
target
.travis.yml
LICENSE
README.md
flask-vuln.py
index.html
run-dependency-check.sh
run-findsecbugs.sh
run-gunicorn.sh
run-retirej.sh
run.sh
scan-with-zap.sh
simplified_security_pipeline.png
start-and-scan.sh
travis-log.txt
xss2.html
xss3.html
xss4.html
xss5.html
zap-header.js

README.md

Docker DevSec demo project

Build Status

Demo project about automating security testing with Docker. In this case we are running the stuff with Travis CI.

Intentionally the source codes in this repository have some findings reported by the tools. Especially the Python application is intentionally vulnerable to attacks so do understand that running it on your own servers (as a demonstration) is a security risk!

Currently this repository demonstrates using these tools through Docker containers:

  1. OWASP Dependency Check
  2. OWASP ZAP
  3. retire.js
  4. Find Security Bugs (+ FindBugs)

simplified_security_pipeline

Note about ZAP scanning

In the usual case scanning requires authenticating the test user with some credentials. This is not currently easy, but soon will be. See issue at GitHub.

Another common trick is to use some sort of custom HTTP header (mocking SSO frontend for example) which specifies the authenticated user. This can be achieved like this. Load a custom script which forces a HTTP header for each request.

zap-cli scripts load --name=force-auth --script-type=proxy --engine='Oracle Nashorn' --file-path=$(pwd)zap-header.js

Essentially zap-header.js boils down to this in this example:

function proxyRequest(msg) {
    msg.getRequestHeader().setHeader("user-auth", "test-user")
    return true
}

Example log from Travis CI

For real projects, you would probably want to tune the tools to generate HTML reports or something more readable and host these documents somewhere instead of having a load of stuff within the build server log. See sample Travis CI log as an example.

Reports out of the docker container

This is currently under development, but this example now uploads some of the generated reports to Amazon S3 bucket from Travis. This means basically mounting a local directory for the Docker container so that the container can write a file to the host machine. After container shuts down the file is then uploaded to S3.

Sample reports generated by the Travis CI build: