There are various ways to implement you can run it on serverless (cloud run) , run on the branch ( trigger the build when you merge it to master) or trigger the build according to the cloud scheduler. I have tried and was able to be successful in all the ways. but here I will share how to run it on the `cloud scheduler` as we will do the full scan it will take around 6–7 min and if you do it on the branch on merging with the master it will run on every merge added to master hampering the runner capacity provided by the GCP build
Pull the stable image of OSWAP ZAP →
docker pull owasp/zap2docker-stable
TAG the image
docker -t gcr.io/gcp-id/containerregistry-where-you want to save it , in my case “ gcr.io/XXX/my-zap-image”
Once done all set ,
You need to replace the GCP-project-id and then the bucket name where the report will be generated and stored. off course the website you need to have permission to attack.
How to trigger the build ,
After setting up the trigger repo in the GCLOUD , you need to set the trigger to
then ,
yes you need to have the service account, with the permission of
then go to cloud scheduler and see the scheduler job is set , in my case it is scheduled to run twice automatically in a day
when you start by force run, the magic happens 129 penetration tests on the website address you provided, with a detailed report on the GS bucket. After effect you don’t require any paid tools to pentest or a dedicated guy to run the test “the automation does it for you”
Let me know if you have any confusion or if you need to set up ZAP in another way , HAPPY -LEARNING
