Anuraj

Performing a security test after each deployment using OWASP ZAP and Azure DevOps

February 01, 2020 by Anuraj

azure devops owasp security

This post is about OWASP ZAP to your build / release pipeline with Azure DevOps. OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

In this post I am creating a build pipeline which is scheduled to run every week. And the pipeline will run OWASP ZAP against the application and generate results. This results will converted to XUnit format XML and displayed as part of test results in the build results.

Here is the screenshot of the DevOps pipeline.

Azure DevOps Pipeline

And here is the YAML code.

pool:
  name: Azure Pipelines
steps:
- task: CSE-DevOps.zap-scanner.custom-build-release-task.owaspzap@1
  displayName: 'ZAP Scanner'
  inputs:
    scantype: targetedScan
    url: 'https://dotnetthoughts.net'

- bash: |
   sudo npm install -g handlebars-cmd
   
   cat <<EOF > owaspzap/nunit-template.hbs
   {{#each site}}
   
   <test-run
       id="2"
       name="Owasp test"
       start-time="{{../[@generated]}}"  >
       <test-suite
           id="{{@index}}"
           type="Assembly"
           name="{{[@name]}}"
           result="Failed"
           failed="{{alerts.length}}">
           <attachments>
               <attachment>
                   <filePath>owaspzap/report.html</filePath>
               </attachment>
           </attachments>
       {{#each alerts}}<test-case
           id="{{@index}}"
           name="{{alert}}"
           result="Failed"
           fullname="{{alert}}"
           time="1">
               <failure>
                   <message>
                       <![CDATA[{{{desc}}}]]>
                   </message>
                   <stack-trace>
                       <![CDATA[
   Solution:
   {{{solution}}}
   
   Reference:
   {{{reference}}}
   
   instances:{{#each instances}}
   * {{uri}}
       - {{method}}
       {{#if evidence}}- {{{evidence}}}{{/if}}
                       {{/each}}]]>
                   </stack-trace>
               </failure>
       </test-case>
       {{/each}}
       </test-suite>
   </test-run>
   {{/each}}
   
  displayName: 'owasp nunit template'

- bash: 'handlebars owaspzap/report.json <owaspzap/nunit-template.hbs> owaspzap/test-results.xml'
  displayName: 'Bash Script'

- task: PublishTestResults@2
  displayName: 'Publish Test Results owaspzap/test-results.xml'
  inputs:
    testResultsFormat: NUnit
    testResultsFiles: 'owaspzap/test-results.xml'

- task: CopyFiles@2
  displayName: 'Copy Files to: $(Build.ArtifactStagingDirectory)'
  inputs:
    SourceFolder: owaspzap/
    TargetFolder: '$(Build.ArtifactStagingDirectory)'

- task: PublishBuildArtifacts@1
  displayName: 'Publish Artifact: zap-scanner-reports'
  inputs:
    ArtifactName: 'zap-scanner-reports'

And here is the test results from the build pipeline.

OWASP ZAP - NUnit Test results

There is lot options you can configure and control in OWAZP ZAP docker. In this post I am using standard ZAP options. You can do a complete ZAP Scan or Quick scan depends on your project. You can find more details about ZAP docker implementation on GitHub

Happy Programming :)

« Integrating Google Charts in ASP.NET Core
Installing Az Powershell module on Mac »

Copyright © 2024 Anuraj. Blog content licensed under the Creative Commons CC BY 2.5 | Unless otherwise stated or granted, code samples licensed under the MIT license. This is a personal blog. The opinions expressed here represent my own and not those of my employer. Powered by Jekyll. Hosted with ❤ by GitHub