Note:

Integrate Zed Attack Proxy with Oracle Cloud Infrastructure DevOps Build Pipeline

Introduction

Oracle Cloud Infrastructure (OCI) DevOps service is a complete Continuous Integration/Continuous Delivery (CI/CD) platform for developers to simplify and automate their software development lifecycle. The OCI DevOps service enables developers and operators to collaboratively develop, build, test, and deploy software. DevSecOps is the practice in which security testing is added in the automation process of Software development and deployment.

Zed Attack Proxy (ZAP), formerly known as Open Web Application Security Project Zed Attack Proxy (OWASP ZAP), is an open source web application security scanner. It helps developers and security professionals detect and find vulnerabilities in web applications. ZAP will provide a report which tells about the vulnerabilities and warnings found during vulnerability scan.

Objectives

Prerequisites

Task 1: Set up build stage for ZAP scan

  1. Create Build spec file using the below configuration for the ZAP integration stage named zap_build_spec.yaml. Replace the application-url in build spec command with the deployed application URL. You can also use the Build Parameters to make it more dynamic. Upload the build spec file to the repository.

    version: 0.1
component: build
timeoutInSeconds: 10000
runAs: root
shell: bash

steps:
  - type: Command
    timeoutInSeconds: 1200
    name: "Zap Scan"
    command: |
      docker run -v /docker-vol/agent-dir/ext/${OCI_PRIMARY_SOURCE_NAME}:/zap/wrk/:rw --user root ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t <application-url> -g gen.conf -d -r report.xml

outputArtifacts:
  - name: zap-report
    type: BINARY
    location: ${OCI_PRIMARY_SOURCE_DIR}/report.xml

  2. Add Build stage for ZAP integration.

    1. Click Add a stage under the build pipeline and choose Manage build stage.

    2. Enter zap_build_spec.yaml in Build Spec file path.

    3. Enter the stage name and add primary code repository.

    4. Select Connection type as OCI code repository and select code repo in which zap_build_spec.yaml is present.

      ZAP build stage

  3. Add Artifact.

    1. Click Add Artifact.

    2. Specify type as General artifact.

    3. Select the artifact registry repository where ZAP report will be stored.

    4. Select Artifact from the repository.

    5. Click Add.

      Zap add artifact

  4. This stage will push the ZAP report to artifact registry. In the previously created build pipeline, add another stage of type Deliver Artifacts.

    1. Click Select artifact(s) and select the artifact created.

    2. Give Build config/result artifact name as zap-report, because we mentioned this artifact name in our zap_build_spec.yaml file.

    3. Click Add.

      Zap Deliver Artifact

  5. The build pipeline is shown in the following image. Click Start manual run to run the pipeline.

    Start Manual Run

  6. After the pipeline runs successfully, you can download ZAP report from the artifact registry.

    ZAP Report Download

Next steps

The generated ZAP report will help in understanding the Vulnerabilities and Warnings that are found during the ZAP Scan. This build spec configuration is performing a baseline-scan. You can also perform the ZAP - Full Scan, which performs actual ‘attacks’ and can potentially run for a long period of time.

ZAP scan can be done first on a test environment. If there are no vulnerabilities found in the test environment, the application can be rolled out to Production.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.