'report generation zap-full-scan

hello I'm trying to do a CI / CD integration of zap on gitlab. To do this, I wrote the following code but after running the report is not generated. What to do please. the scan is well done but the report is not available

test_site:
  stage: test
  image: owasp/zap2docker-stable
  when: always
  script:
    - mkdir -p /zap/wrk/
    - zap-full-scan.py -t https://example.com -r report.html
    - cp /zap/wrk/report.html .

  artifacts:
    when: always
    paths: [report.html]
  allow_failure: false

I managed to generate the report by adding to the command || true or the -I option but the objective is to generate the report without adding

gitlab-cigitlab-ci-runnerowasp


Solution 1:[1]

I have struggled to get this done for more than 2 days. I started with this approach of using image: owasp/zap2docker-stable however then had to go to the vanilla docker commands to execute it.

The reason for that is, if you use -r parameter, zap will attempt to generate the file report.html at location /zap/wrk/. In order to make this work, we have to mount a directory to this location /zap/wrk.

But when you do so, it is important that the zap container is able to perform the write operations on the mounted directory.

So, below is the working solution.

  test_site:
          stage: test
          image: docker:latest
          script:
          # The folder zap-reports created locally will be mounted to owasp/zap2docker docker container,
          # On execution it will generate the reports in this folder. Current user is passed so reports can be generated"
            - mkdir zap-reports
            - cd zap-reports
            - docker pull owasp/zap2docker-stable:latest || echo
            - docker run  --name zap-container --rm -v $(pwd):/zap/wrk -u $(id -u ${USER}):$(id -g ${USER}) owasp/zap2docker-stable zap-baseline.py -t "https://example.com" -r report.html
          artifacts:
            when: always
            paths:
              - zap-reports
          allow_failure: true

So the trick in the above code is

  1. Mount local directory zap-reports to /zap/wrk as in $(pwd):/zap/wrk
  2. Pass the current user and group on the host machine to the docker container so the process is using the same user / group. This allows writing of reports on the directory mounted from local host. This is done by -u $(id -u ${USER}):$(id -g ${USER})

Below is the working code with image: owasp/zap2docker-stable

 test_site:
  variables:
    GIT_STRATEGY: none
  stage: test
  image:
    name: owasp/zap2docker-stable:latest
  before_script:
    - mkdir -p /zap/wrk
  script:
    - zap-baseline.py -t "https://example.com" -g gen.conf -I -r testreport.html
    - cp /zap/wrk/testreport.html testreport.html
  artifacts:
    when: always
    paths:
      - zap.out
      - testreport.html

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

How to scan particular URL or page alone in owasp zap

DfectDojo pushing to JIRA

How to have a fork of a php project still get security checks with owasp dependency check

How to upload scan outputs from minIO (ex. Nmap, Nikto, Sslyze, Zap) to OWASP DefectDojo

Cannot resolve Request Header Issue in ModSecurity and its affects on WordPress

Failed to load config "airbnb" to extend from - gitlab ci

How to deploy Blazor WebAssembly as static site in GitLab Pages

What kubernetes permissions does GitLab runner kubernetes executor need?

Script command using ":" causing error in .gitlab-ci.yml execution

Gitlab-CI with Docker executor /usr/bin/bash: line 90: git: command not found

How to limit a job in gitlab ci to a tag matching a pattern?

Exporting environment variables from one stage to the next in GitLab CI

docker executor vs docker dind image

Is it possible to have gitlab CI trigger another pipeline?

Why did my job get stuck while trying local Gitlab-runner?