Kovair DevOps and ZAP Integration Plugin

Kovair DevOps – ZAP Plugin Details

Plugin Version: 1.0

Overview

ZAP is used to test for the most common vulnerabilities that accompany web applications. This integration will help to achieve DevSecOps for Kovair DevOps pipeline. This plugin integrates Kovair DevOps with ZAP tool for automating the Spidering, Scanning of the web applications and Getting Alerts generated by ZAP.

ZAP Information:

More information can be found at ZAP. 

Version Supported:

This plugin was developed and tested against ZAP version 2.12.0

Plugin Operation:

1. SpiderScan
Runs the spider against the given URL (or context).

Input parameter(s):

Parameter

Is Mandatory

Help Text

Base URL

true

Provide the API URL of ZAP tool.

API Key

true

Provide the API key of ZAP tool.

Asynchronous

true

If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan.

Starting Url

false

Provide the URL of your application.

Max Children

false

The ‘Max Children’ parameter can be set to limit the number of children scanned.

Recurse

false

The ‘Recurse’ parameter can be used to prevent the spider from seeding recursively.

Context Name

false

The parameter ‘Context Name’ can be used to constrain the scan to a Context.

Subtree Only

false

The parameter ‘Subtree Only’ allows to restrict the spider under a site’s subtree (using the specified ‘url’).

Output parameter(s):

Parameter Help Text

OutputLog

Response message content.

Status

Status of the operation.

2. SpiderScanAsUser

Runs the spider from the perspective of a User, obtained using the given Context ID and User ID.

Input parameter(s):

Parameter

Is Mandatory

Help Text

Base URL

true

Provide the API URL of ZAP tool.

API Key

true

Provide the API key of ZAP tool.

Asynchronous

true

If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan.

Context Id

true

Provide the context id.

User Id

true

Provide the user id.

Starting Url

false

Provide the URL of your application.

Max Children

false

The ‘Max Children’ parameter can be set to limit the number of children scanned.

Recurse

false

The ‘Recurse’ parameter can be used to prevent the spider from seeding recursively.

Subtree Only

false

The parameter ‘Subtree Only’ allows to restrict the spider under a site’s subtree (using the specified ‘url’).

Output parameter(s):

Parameter Help Text

OutputLog

Response message content.

Status

Status of the operation.

3. ActiveScan

Runs the active scanner against the given URL and/or Context.

Input parameter(s):

Parameter

Is Mandatory

Help Text

Base URL

true

Provide the API URL of ZAP tool.

API Key

true

Provide the API key of ZAP tool.

Asynchronous

true

If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan.

Starting Url

false

Provide the URL of your application.

Recurse

false

The ‘Recurse’ parameter can be used to scan URLs under the given URL.

In Scope Only

false

The parameter ‘In Scope Only’ can be used to constrain the scan to URLs that are in scope (ignored if a Context is specified).

Scan Policy Name

false

The parameter ‘Scan Policy Name’ allows to specify the scan policy (if none is given it uses the default scan policy).

Method

false

The parameter ‘Method’ allows to select a given request in conjunction with the given URL.

Post Data

false

The parameter ‘Post Data’ allows to select a given request in conjunction with the given URL.

Output parameter(s):

Parameter Help Text

OutputLog

Response message content.

Status

Status of the operation.

4. ActiveScanAsUser

Active Scans from the perspective of a User, obtained using the given Context ID and User ID.

Input parameter(s):

Parameter

Is Mandatory

Help Text

Base URL

true

Provide the API URL of ZAP tool.

API Key

true

Provide the API key of ZAP tool.

Asynchronous

true

If Yes, Pipeline will not wait for the task to be completed. It will switch to the next task immediately after triggering the scan.

Starting Url

false

Provide the URL of your application.

Context Id

false

Provide the context id.

User Id

false

Provide the user id.

Recurse

false

The ‘Recurse’ parameter can be used to scan URLs under the given URL.

Scan Policy Name

false

The parameter ‘Scan Policy Name’ allows to specify the scan policy (if none is given it uses the default scan policy).

Method

false

The parameter ‘Method’ allows to select a given request in conjunction with the given URL.

Post Data

false

The parameter ‘Post Data’ allows to select a given request in conjunction with the given URL.

Output parameter(s):

Parameter Help Text

OutputLog

Response message content.

Status

Status of the operation.

5. GetAlerts

Gets the alerts raised by ZAP, optionally filtering by URL or riskId, and paginating with ‘start’ position and ‘count’ of alerts.

Input parameter(s):

Parameter

Is Mandatory

Help Text

Base URL

true

Provide the API URL of ZAP tool.

API Key

true

Provide the API key of ZAP tool.

Site URL

false

Provide the URL of your application.

Start Position

false

Provide the start value to get the alerts from the given start position.

Alert Count

false

Provide the number of alerts required to be fetched.

Risk Id

false

Provide the risk id to get the alerts corresponding to the risk type.

Output parameter(s):

Parameter Help Text

OutputLog

Response message content.

Status

Status of the operation.

Pass/Fail Conditions:

Method

Status

Condition

SpiderScan

Passed

If   HTTP Status Code of 200 (OK) is received from ZAP and OutputLog is not empty.

SpiderScan

Failed

If   HTTP Status Code of 200 (OK) is not received from ZAP or If OutputLog is empty.

SpiderScanAsUser

Passed

If   HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty.

SpiderScanAsUser

Failed

If   HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty.

ActiveScan

Passed

If   HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty.

ActiveScan

Failed

If   HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty.

ActiveScanAsUser

Passed

If   HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty.

ActiveScanAsUser

Failed

If   HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty.

GetAlerts

Passed

If   HTTP Status Code of 200 (OK) is received from ZAP and if OutputLog is not empty.

GetAlerts

Failed

If   HTTP Status Code of 200 (OK) is not received from ZAP or if OutputLog is empty.

Disclaimers:

  1. This plug-in has been tested in ZAP on-premise environment only.
  2. Connectivity with ZAP API URL of on-premise instance must be ensured.
  3. Follow the linkin order to understand how to get the API URL of ZAP tool.
  4. The functionality solely depends on the ZAP API, if the API behaviour changes the result may vary.

Release Details:

ZAP Plugin: 1.0
Initial version with basic functionalities.

Contact us:

    Yes, I accept the Privacy Statement and want to receive latest information from Kovair.
    [tracking]