We have added a feature to the CI/CD which produces a report in HTML for the OWASP Zap scan. This will make it much easier to review the results of these scans. This document shows how to access the report.
- When a pull request is issued, the CI/CD checks automatically kick off. Go to the bottom of the
Conversation screen to see the checks running.
- To the right of either
ci/circleci: test-backendorci/circleci: test-backendclick theDetailslink to view the running process at CircleCI
- Click the
Artifactstab at the top of the screen once the process has completed.
- Click the
owasp_report.htmllink to view the report.
We use separate files for configuring the ZAP scanner for the front and back end applications Backend: tdrs-backend/reports/zap.conf Frontend: tdrs-frontend/reports/zap.conf
These files have a list of error codes and what to do with them. We have some of these set to IGNORE because they do not apply to our configuration but were returning false positives for test failures. For each of these, we should have a comment as to why the test is being ignored.
Can use Postman to mimic the test parameters before ignoring to verify
The free version of Postman, the app or web version, can be used for this.
examples:
We build out how we invoke the zap scanner using our zap-scanner script.
As part of that, we pass some additional configuration that includes a list of urls to exclude from the
scan.
ZAP_CLI_OPTIONS contains this list.
It is important to note, not to include the frontend or backend endpoint we want to test the scanner out
on.
e.g. do not include something like this in the -config globalexcludeurl.url_list.url configuration options:
-config globalexcludeurl.url_list.url\(3\).regex='^https?://.*\.hhs.gov\/.*$' \
-config globalexcludeurl.url_list.url\(3\).description='Site - acf.hhs.gov' \
-config globalexcludeurl.url_list.url\(3\).enabled=true \
It will not be able to find the endpoint for the tests and the output is confusing as to what is happening.