Professional Documents
Culture Documents
ZAP CI UserGuide
ZAP CI UserGuide
ZAP CI UserGuide
IN T ER NA L
Contents
1. Introduction ..................................................................................................................................................... 3
1. Introduction
OWASP ZAP (short for Zed Attack Proxy) is an open-source web application security scanner. It is one of
the most active Open Web Application Security Project (OWASP) and has been given Flagship status.
When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, in-
cluding traffic using https.
DSAC has come up with framework which is used in the integration of zap in the CI pipeline. The Frame-
work is written with python. Any Application with Basic FormBased Authentication and NTLM Authenti-
cation can be scanned.
3. Pipeline Setup
3.1. Repo and the Branch for automation code
Repo : https://dev.azure.com/ABB-BEA-DSAC/DSAC_Testing/_git/zap_automation_cicd
Branch : Develop
“zapscan.py” is the script needs to be run on the command line for triggering the scan, Below section
explains how to trigger the script in the pipeline
Note: Please Raise for access in case if you are not able to reach to above repo
1. Form-Based Authentication
2. NTLM Authentication
The Below section Explains about Each Authentication and its parameters
The Following Parameters are needed to be passed for the Form-Based Application
Generally, the Login Endpoint is the POST method for login in to the web application
• -uname & -pswd – Username and the Password to logging into the application
• -lin – Check to Indicate ZAP whether login is successful or not e.g., Sign Off
If the Application logged out while scanning, the login method will be called again. ZAP makes
sure that the application is signed in throughout the entire scan.
• -uname & -pswd – Username and the Password to logging into the application
• -lin – Check to Indicate ZAP whether login is successful or not e.g., Sign Off
If Application logged out while scanning, the login method will be called again. ZAP makes sure
that the application is signed in throughout the entire scan.
Step 3: In the command line Script task add the following lines
o changing the files to be executable
o chmod -R 777 *
o python3 -u zapscan.py -target "https://demo.testfire.net/" -authtype "FormBased" -
uname "admin" -pswd "admin" -lep "https://demo.testfire.net/doLogin" -lin "Sign Off"
step 4: Publish Pipeline Artifact: Zap_scan_log is the result directory created after the scan is
completed. Here we are publish the folder as a artifact.using “publish pipeline artifact” task.
The Scan Report will be available inside the published artifact and appears as below