Kovair DevOps – ZAP Plugin Details
Plugin Version: 1.0Overview
ZAP is used to test for the most common vulnerabilities that accompany web applications. This integration will help to achieve DevSecOps for Kovair DevOps pipeline. This plugin integrates Kovair DevOps with ZAP tool for automating the Spidering, Scanning of the web applications and Getting Alerts generated by ZAP.
ZAP Information:
Version Supported:
Plugin Operation:
1. SpiderScan
Runs the spider against the given URL (or context).
Input parameter(s):
Parameter |
Is Mandatory |
Help Text |
Base URL |
true |
Provide the API URL of ZAP tool. |
API Key |
true |
Provide the API key of ZAP tool. |
Asynchronous |
true |
If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan. |
Starting Url |
false |
Provide the URL of your application. |
Max Children |
false |
The ‘Max Children’ parameter can be set to limit the number of children scanned. |
Recurse |
false |
The ‘Recurse’ parameter can be used to prevent the spider from seeding recursively. |
Context Name |
false |
The parameter ‘Context Name’ can be used to constrain the scan to a Context. |
Subtree Only |
false |
The parameter ‘Subtree Only’ allows to restrict the spider under a site’s subtree (using the specified ‘url’). |
Output parameter(s):
Parameter | Help Text |
---|---|
OutputLog |
Response message content. |
Status |
Status of the operation. |
2. SpiderScanAsUser
Runs the spider from the perspective of a User, obtained using the given Context ID and User ID.
Input parameter(s):
Parameter |
Is Mandatory |
Help Text |
Base URL |
true |
Provide the API URL of ZAP tool. |
API Key |
true |
Provide the API key of ZAP tool. |
Asynchronous |
true |
If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan. |
Context Id |
true |
Provide the context id. |
User Id |
true |
Provide the user id. |
Starting Url |
false |
Provide the URL of your application. |
Max Children |
false |
The ‘Max Children’ parameter can be set to limit the number of children scanned. |
Recurse |
false |
The ‘Recurse’ parameter can be used to prevent the spider from seeding recursively. |
Subtree Only |
false |
The parameter ‘Subtree Only’ allows to restrict the spider under a site’s subtree (using the specified ‘url’). |
Output parameter(s):
Parameter | Help Text |
---|---|
OutputLog |
Response message content. |
Status |
Status of the operation. |
3. ActiveScan
Runs the active scanner against the given URL and/or Context.
Input parameter(s):
Parameter |
Is Mandatory |
Help Text |
Base URL |
true |
Provide the API URL of ZAP tool. |
API Key |
true |
Provide the API key of ZAP tool. |
Asynchronous |
true |
If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan. |
Starting Url |
false |
Provide the URL of your application. |
Recurse |
false |
The ‘Recurse’ parameter can be used to scan URLs under the given URL. |
In Scope Only |
false |
The parameter ‘In Scope Only’ can be used to constrain the scan to URLs that are in scope (ignored if a Context is specified). |
Scan Policy Name |
false |
The parameter ‘Scan Policy Name’ allows to specify the scan policy (if none is given it uses the default scan policy). |
Method |
false |
The parameter ‘Method’ allows to select a given request in conjunction with the given URL. |
Post Data |
false |
The parameter ‘Post Data’ allows to select a given request in conjunction with the given URL. |
Output parameter(s):
Parameter | Help Text |
---|---|
OutputLog |
Response message content. |
Status |
Status of the operation. |
4. ActiveScanAsUser
Active Scans from the perspective of a User, obtained using the given Context ID and User ID.
Input parameter(s):
Parameter |
Is Mandatory |
Help Text |
Base URL |
true |
Provide the API URL of ZAP tool. |
API Key |
true |
Provide the API key of ZAP tool. |
Asynchronous |
true |
If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan. |
Starting Url |
false |
Provide the URL of your application. |
Context Id |
false |
Provide the context id. |
User Id |
false |
Provide the user id. |
Recurse |
false |
The ‘Recurse’ parameter can be used to scan URLs under the given URL. |
Scan Policy Name |
false |
The parameter ‘Scan Policy Name’ allows to specify the scan policy (if none is given it uses the default scan policy). |
Method |
false |
The parameter ‘Method’ allows to select a given request in conjunction with the given URL. |
Post Data |
false |
The parameter ‘Post Data’ allows to select a given request in conjunction with the given URL. |
Output parameter(s):
Parameter | Help Text |
---|---|
OutputLog |
Response message content. |
Status |
Status of the operation. |
5. GetAlerts
Gets the alerts raised by ZAP, optionally filtering by URL or riskId, and paginating with ‘start’ position and ‘count’ of alerts.
Input parameter(s):
Parameter |
Is Mandatory |
Help Text |
Base URL |
true |
Provide the API URL of ZAP tool. |
API Key |
true |
Provide the API key of ZAP tool. |
Site URL |
false |
Provide the URL of your application. |
Start Position |
false |
Provide the start value to get the alerts from the given start position. |
Alert Count |
false |
Provide the number of alerts required to be fetched. |
Risk Id |
false |
Provide the risk id to get the alerts corresponding to the risk type. |
Output parameter(s):
Parameter | Help Text |
---|---|
OutputLog |
Response message content. |
Status |
Status of the operation. |
Pass/Fail Conditions:
Status |
Condition |
|
SpiderScan |
Passed |
If HTTP Status Code of 200 (OK) is received from ZAP and OutputLog is not empty. |
SpiderScan |
Failed |
If HTTP Status Code of 200 (OK) is not received from ZAP or If OutputLog is empty. |
SpiderScanAsUser |
Passed |
If HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty. |
SpiderScanAsUser |
Failed |
If HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty. |
ActiveScan |
Passed |
If HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty. |
ActiveScan |
Failed |
If HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty. |
ActiveScanAsUser |
Passed |
If HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty. |
ActiveScanAsUser |
Failed |
If HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty. |
GetAlerts |
Passed |
If HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty. |
GetAlerts |
Failed |
If HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty. |
Disclaimers:
- This plug-in has been tested in ZAP on-premise environment only.
- Connectivity with ZAP API URL of on-premise instance must be ensured.
- Follow the linkin order to understand how to get the API URL of ZAP tool.
- The functionality solely depends on the ZAP API, if the API behaviour changes the result may vary.
Release Details:
Initial version with basic functionalities.