Skip to content

Visual Studio Team Services build/release task for running OWASP ZAP automated security tests

License

Notifications You must be signed in to change notification settings

kasunkv/owasp-zap-vsts-task

Repository files navigation

Coveralls Status Known Vulnerabilities dependencies Status devDependencies Status Best Practices GitHub release license Visual Studio Marketplace Gitter

OWASP Zed Attack Proxy Scan Task

Visual Studio Team Services build/release task for running OWASP ZAP automated security tests. Run active scan against a target with security risk thresholds and ability to generate the scan report.

Using OWASP Zed Attack Proxy Scan Task

Follow the instructions given below to add and configure OWASP Zed Attack Proxy Task in your build/release pipeline.

Prerequisites

Add the OWASP Zed Attack Proxy Scan Task

Install the OWASP Zed Attack Proxy Scan Task in to your Visual Studio Team Services account and search for the task in the available tasks. The task will appear in the Test section of the task list. Add it to your build/release task.

Add OWASP Zed Attack Proxy Task

Required Configuration

OWASP Zed Attack Proxy Scan task has some required configuration options that needed to be provided.

These configurations are found in the ZAP API Configuration section.

Required Configuration Options

Required Options

  • ZAP API Url : The fully qualified domain name (FQDN) with out the protocol. (Eg. zap.example.com)
  • API Key : The API key for ZAP. Details about obtaining the API can be found on the Official Documentation
  • Target URL : Target URL where the active scan is performed against.

Spider Scan Options

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Spider Scan Options

Available Options

  • Execute Spider Scan : Enable to run a spider scan on the target.
  • Recurse : (Optional) Enable to use the nodes underneath the one specified target to seed the spider.
  • Subtree Only : (Optional) Enable to restrict the spider under the target url subtree.
  • Context Name : (Optional) Set to constrain the scan to a Context.
  • Max Children To Crawl : (Optional) Set to limit the number of children scanned.

Active Scan Options

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Active Scan Options

Available Options

  • Execute Active Scan : Enable to run a active scan on the target.
  • Context ID : (Optional) Context identifier of the Scan context.
  • Recurse : (Optional) Set recurse option to scan URLs under the given target URL.
  • In Scope Only : (Optional) Set In Scope only to true to constrain the scan to URLs that are in scope (ignored if a Context is specified).
  • Scan Policy Name : (Optional) Scan Policy Name allows to specify the scan policy (if none is given it uses the default scan policy).
  • Method : (Optional) Allow you to select a given request in conjunction with the given URL.
  • POST Data : (Optional) Allow you to select a given request in conjunction with the given URL.

Configure Verification

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Configure Verification

Available Options

  • Enable Verifications : Enable to add thresholds for security risk types and fail the build if the threshold is exceeded.
  • High Risk Alert Threshold : Number of Maximum allowed High Risk Alerts. If the number of high risk alerts equals or exceeds, the build will fail.
  • Medium Risk Alert Threshold : Number of Maximum allowed High Medium Alerts. If the number of high risk alerts equals or exceeds, the build will fail.
  • Low Risk Alert Threshold : Number of Maximum allowed Low Risk Alerts. If the number of high risk alerts equals or exceeds, the build will fail.

Configure Reports

This configuration section includes the parameters that need to be sent to perform the active scan against the target.

Configure Reports

Available Options

  • Report Type : Select the type of report you want generated. Available types are HTML, XML & Markdown.
  • Destination Folder : The destination folder that the report file is created. You can use variables. Eg. $(agent.builddirectory).
  • Report Filename : Name of the report file, without the extension. Extension is determined by the Report Type. Eg. OWASP-ZAP-Report-2017-00-00.

Contributing to OWASP Zed Attack Proxy Scan Task

Found a Bug?

  • Check currently listed Issues to make sure its not already listed.
  • If not Open a New Issue for the Bug. Include a detailed description including a proper title that is meaningful and a clear description with as much relevant details regarding the issue as possible.

Fixed a Bug?

  • Open a New Pull Request with the fix.
  • We are using a strict commit guideline with the OWASP Zed Attack Proxy Scan Task project. Please read the details in the Commit Guideline before you make commits.

Add/Suggest a New Feature, or Change Existing One?

  • Add your suggestions to the Gitter Chat for the project.
  • After getting a discussion going, Create a new Issue related to the feature in the Issues section. Add detailed description with a title for the issue.
  • Follow the Commit Guideline mentioned bellow when committing.
  • Create a Pull Request when you are done with the feature.

Have Questions?

  • All of your questions are welcome. Post them in the Gitter chat for the project.

Current Contributors

A special thanks to all the Contributors of the OWASP Zed Attack Proxy Scan Task Project. Your valuable contributions are most welcome. :)

About

Visual Studio Team Services build/release task for running OWASP ZAP automated security tests

Resources

License

Stars

Watchers

Forks

Packages

No packages published