OWASP ZAP integration with Jenkins
Introduction
For developing applications, today we have different tools that can help us to achieve building a secure application. They can be grouped into categories according to their functionality like SS (Secret Search), DAST (Dynamic Application Security Testing), SAST (Static Application Security Testing), SCA (Software Composition Analysis), etc.
Those tools can be used separately to test applications, but we can also integrate them into orchestration tools that nowadays are used to compile, test and deploy our software, automating and facilitating the continuous integration and continuous delivery/deployment of our applications.
This article will be focusing on describing how to integrate one of those security tools into an orchestration pipeline. We are talking about OWASP ZAP (Zed Attack Proxy) and Jenkins.
OWASP ZAP is one of the options we have as part of the DAST (Dynamic Application Security Testing) security techniques. It is a free and open-source scanner that performs penetration tests on web applications/services during runtime in order to detect vulnerabilities.
Although OWASP ZAP is a tool that can be used manually and punctually for testing a specific web application, we can integrate and automate it within a Continuous Integration pipeline taking the advantages of doing this. With the continuous testing in each building phase, it will allow us to detect vulnerabilities earlier.
On the other side we have Jenkins, a continuous integration server, free, open-source and a very popular tool being used nowadays.
In this article, we will discuss the below points:
1- Requirements: Software that should be running to test this article
2- Integration of OWASP ZAP: A baseline script that will enable the integration
3- Pipeline in Jenkins: The configurations that you should be doing
4- Conclusions: The outcome of this article!
5- References: If you want to know more about this
Requirements
- You will need to have Jenkins installed.
- Docker should be installed in the Jenkins machine
Integration of OWASP ZAP
Creating a script
We will use the following script that will be incorporated when creating the pipeline in Jenkins.
def scan_type
def target
pipeline {
agent any
parameters {
choice choices: ["Baseline", "APIS", "Full"],
description: 'Type of scan that is going to perform inside the container',
name: 'SCAN_TYPE'
string defaultValue: "https://example.com",
description: 'Target URL to scan',
name: 'TARGET'
booleanParam defaultValue: true,
description: 'Parameter to know if wanna generate report.',
name: 'GENERATE_REPORT'
}
stages {
stage('Pipeline Info') {
steps {
script {
echo "<--Parameter Initialization-->"
echo """
The current parameters are:
Scan Type: ${params.SCAN_TYPE}
Target: ${params.TARGET}
Generate report: ${params.GENERATE_REPORT}
"""
}
}
}
stage('Setting up OWASP ZAP docker container') {
steps {
script {
echo "Pulling up last OWASP ZAP container --> Start"
sh 'docker pull owasp/zap2docker-stable'
echo "Pulling up last VMS container --> End"
echo "Starting container --> Start"
sh """
docker run -dt --name owasp \
owasp/zap2docker-stable \
/bin/bash
"""
}
}
}
stage('Prepare wrk directory') {
when {
environment name : 'GENERATE_REPORT', value: 'true'
}
steps {
script {
sh """
docker exec owasp \
mkdir /zap/wrk
"""
}
}
}
stage('Scanning target on owasp container') {
steps {
script {
scan_type = "${params.SCAN_TYPE}"
echo "----> scan_type: $scan_type"
target = "${params.TARGET}"
if(scan_type == "Baseline"){
sh """
docker exec owasp \
zap-baseline.py \
-t $target \
-x report.xml \
-I
"""
}
else if(scan_type == "APIS"){
sh """
docker exec owasp \
zap-api-scan.py \
-t $target \
-x report.xml \
-I
"""
}
else if(scan_type == "Full"){
sh """
docker exec owasp \
zap-full-scan.py \
-t $target \
//-x report.xml
-I
"""
//-x report-$(date +%d-%b-%Y).xml
}
else{
echo "Something went wrong..."
}
}
}
}
stage('Copy Report to Workspace'){
steps {
script {
sh '''
docker cp owasp:/zap/wrk/report.xml ${WORKSPACE}/report.xml
'''
}
}
}
}
post {
always {
echo "Removing container"
sh '''
docker stop owasp
docker rm owasp
'''
}
}
}Script Content
This script has two important sections that will be briefly detailed to understand it better.
PARAMETERS
Parameters will be the data we must complete each time we want to carry out an execution of the pipeline. We have three types:
SCAN_TYPE: scan type that will be executed.
OWASP ZAP offers three different scan types. We must choose the one we need in every case: Baseline Scan, Full Scan or API Scan.
TARGET: the URL of the web page or API that we want to analyze.
GENERATE_REPORT: the option to choose if we want to obtain a report at the end of the execution.
STAGES
Below, there are the stages that we are going to include in Jenkins’s pipeline:
PIPELINE INFO: parameter data.
SETTING UP OWASP ZAP DOCKER CONTAINER: pull from the OWASP ZAP docker image.
There are different types of docker images: stable-release, latest weekly release, live release, bare release. We must choose the one that best suits our needs. These images can be found on Docker Hub:
PREPARE WRK DIRECTORY: This stage will create a folder called “wrk” which will save the results when the option to generate reports is chosen. We do this because the OWASP ZAP docker image does not have a folder.
SCANNING TARGET ON OWASP CONTAINER: It is the execution of the scan according to the scan type we choose.
COPY REPORT TO WORKSPACE: If we choose the option to generate a report, this stage will copy the report into our repository within Jenkins.
Pipeline in Jenkins
Now we must complete the following steps to create a pipeline in Jenkins:
- Create a new pipeline
Let’s tick the option “This project is parameterized”.
2. We add the script mentioned at the beginning (copy & paste the script)
3. We save and execute by selecting “build now”. Once the “build with Parameters” option appears, we proceed to cancel it.
4. Select “Build with parameters”, add the scan options and execute the build until it is finished.
5. If we previously chose the option to generate a report, it will be found in the Workspace folder when the pipeline is executed.
Conclusions
Performing this OWASP ZAP integration with Jenkins is simple and free. You can start using it from the beginning of your project with no cost and obtaining great benefits. You will detect vulnerabilities earlier and you will deliver a safer application for your clients.
Take into account that you can also complement this tool with other vulnerabilities scan.
