Automate Security Testing in CI/CD with Zed Attack Proxy

  1. Configure cypress to use localhost:8080 as proxy
set HTTP_PROXY=http://localhost:8080
set HTTPS_PROXY=http://localhost:8080
./zap.bat -daemon -port 8080 -host localhost
npm run remote:cypress
from zapv2 import ZAPv2
import time
import sendpdfreport
import os
#set up target url for scan and api key for ZAPtarget = 'https://juice-shop.herokuapp.com'
apiKey = 'mf9egge5flk6j03dnrmcn6utj6'
context_name = 'sample_context'
context_id = 1
zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})
zap.urlopen(target)
#Spider scanzap.spider.exclude_from_scan('https://juice-shop.herokuapp.com/assets.*')
scanID = zap.spider.scan(target)
while int(zap.spider.status(scanID)) < 100:
# Poll the status until it completes
print('Spider progress %: {}'.format(zap.spider.status(scanID)))
time.sleep(1)
print('Spider has completed!')
print('\n'.join(map(str, zap.spider.results(scanID))))
#Passive Scanwhile int(zap.pscan.records_to_scan) > 0:
# Loop until the passive scan has finished
print('Records to passive scan : ' + zap.pscan.records_to_scan)
time.sleep(2)
print('Passive Scan completed')
#Active ScanscanID = zap.ascan.scan(url=target)
while int(zap.ascan.status(scanID)) != 100:
print('Ascan Progress % : ' + zap.ascan.status(scanID))
time.sleep(5)
print('Active Scan completed')
#Generate report
report_path = zap.reports.generate(title='LRM ZAP Test Report',template='traditional-pdf',sites='https://juice-shop.herokuapp.com|http://juice-shop.herokuapp.com',reportdir=os.path.expanduser('~')+'\\zap-report')
print("Report is generated at : "+report_path)
#Email reportfromaddr = "XXXX@gmail.com"
toaddr = "YYYY@gmail.com"
subject = "LRM ZAP Test Report"
body = "LRM ZAP Automated Security test report"
filename = report_path
sendpdfreport.send_email_with_attachment(fromaddr,toaddr,subject,body,filename)
from email import encoders
from email.mime.base import MIMEBase
from email.mime.application import MIMEApplication
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
import boto3
def send_email_with_attachment(fromaddr,toaddr,subject,body_text,filename):
msg = MIMEMultipart()
msg["Subject"] = subject
msg["From"] = fromaddr
msg["To"] = toaddr
# Set message body
body = MIMEText(body_text, "plain")
msg.attach(body)
#filename = "ZAP-Report.pdf" # In same directory as scriptwith open(filename, "rb") as attachment:
part = MIMEApplication(attachment.read())
part.add_header("Content-Disposition",
"attachment",
filename=filename)
msg.attach(part)
# When running the script from local machine with aws credentials file
session = boto3.Session(profile_name="XXX")
ses_client = session.client("ses", region_name="us-west-2")
#When running on build server with IAM role attached
#ses_client = boto3.client("ses", region_name="us-west-2")
# Convert message to string and send
response = ses_client.send_raw_email(
Source= fromaddr,
Destinations=[toaddr],
RawMessage={"Data": msg.as_string()}
)
print(response)

--

--

--

Site Reliability Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

REST-API-Roundtrip with SpringDoc and OpenAPI Generator

Download Torrent Mac Os X 104 Tiger

Build an isometric 3D game in 2D — #6 More order and move sync

SQL Correlated Subqueries

Why software engineering is awesome!

Learn PHP From Scratch Day -4

Adobe Flash Player For Mac 10.5

COOL KITTY — Grow Your KITTY to be the coolest

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Balaji SA

Balaji SA

Site Reliability Engineer

More from Medium

Cross-compiling using GitHub Actions and QEMU

Using Huawei Cloud Functions as Chatbot Service in Flutter ChatBotApp Part-1

API Security: The Complete Guide

AWS VPCs Peering: