Secure Continuous Integration Part 2: A ZAP and Docker Tutorial

In the first blog post in this series, we covered how to set up our Selenium tests with OWASP ZAP within our local environment as a way of including security vulnerability assessment in our continuous integration process. In this Docker tutorial, we will cover how to “dockerize” our OWASP environment to execute vulnerability assessments and increase software security; additionally, we will explain how to automate this process.

The very first step within this tutorial is to install Docker. After we have successfully gone through the installation guide, and Docker is running on our machines, we will need to go to https://hub.docker.com/ and look for the official OWASP ZAP Image.

We will find 4 images under the “owasp” profile: 

• zap2docker-stable

• zap2docker-weekly

• zap2docker-live

• zap2docker-bare 

We will be using the zap2docker-weekly in this Docker tutorial, but the steps should not vary between versions, as you can see in the GitHut repository. Next, we need to open our terminal/CLI and pull the image from Docker with the following command: 

docker pull owasp/zap2docker-weekly

As you may remember from our previous post, we started by setting up a few environment variables:

ZAP_API_KEY='12345'
ZAP_PORT='8765'
ZAP_PATH='/Users/ZAP_2.7.0'

Now, we need to configure the proxy for our tests:

const proxy = 'http://localhost:8765';
const proxySettings = {
proxy: {
    httpProxy: proxy,
    sslProxy: proxy,
    ftpProxy: proxy,
    proxyType: 'MANUAL',
    autodetect: false
  },
  'chrome.switches': [
    '--ignore-certificate-errors',
  ]
};

Note that we are including a switch for Chrome (chrome.switches) to avoid security issues reported by the browser when we send traffic through the ZAP proxy. Additionally, with port 8765 used as an environment variable, we included a shortcut in the package.json file of our test project to lift the tests with the proxy activated:

"scripts": {
   "security": "./node_modules/.bin/wdio conf.js --environment=web 
--proxy",
}

When we execute npm start security, all the test settings will start working and running our automated tests through the OWASP ZAP proxy, and every single request made will be analyzed for vulnerabilities.

Automating the Container Process & Exporting the Report

1. The next step within this Docker tutorial is to create a shell script called start-zap.sh.

We will run Docker with the username “zap” on port 8765 on the image we previously pulled, and we will assign this command to a variable to store the hash of the Docker container in order to manipulate it in the future. In this case, we will save it under the name “container.txt”:

container="$(docker run -u zap -p 8765:8765 -d 
owasp/zap2docker-weekly zap.sh -daemon -host 0.0.0.0 -port 8765 
-config api.disablekey=true -config api.addrs.addr.name=.* -config 
api.addrs.addr.regex=true)"

docker exec $container zap-cli status
docker exec $container zap-cli session new

echo $container > "./scripts/security/container.txt"

After assigning the command result to the variable, we will follow the normal process of running the OWASP ZAP from our previous blog post in our container. 

2. Create a shell script called stop-zap.sh.

The purpose of this script is to stop the container, kill it, and export our report in HTML once the tests have already been run in the container. In the script, we will get the hash of the previously saved container, export our report, and then stop and kill the container to build a brand new container each run.

container=`cat ./scripts/security/container.txt`

docker exec $container zap-cli report -o vulnerability.html -f html

docker cp $container:/zap/vulnerability.html ./reports/vulnerability/vulnerability.html

docker stop $container
docker rm $container

3. The final step of this tutorial is to create the last script called security-test.sh.

In this script, we will use start-zap to run our tests, followed by stop-zap in order to have one single command to run.

echo "Starting Zap Container"
sh ./scripts/security/start-zap.sh
echo "Running Selenium Tests"
npm run security
echo "Generating Report & Removing the Container"
sh ./scripts/security/stop-zap.sh

Security and containers are key aspects today for every organization, and being able to automate the vulnerability assessment process in early stages of the software development life cycle will reduce the cost of fixing security vulnerabilities. 

Thank you for reading this Docker tutorial within this Secure Continuous Integration series. This one was focused on Docker and security, and hopefully it has pointed you in the right direction to begin adding security to your continuous integration and automation testing processes. 

 

 

Subscribe to our Blog

Kenneth Webb
Kenneth Webb
Kenneth is a Senior Software Consultant with around 14 years of experience in different industries. He is Passionate about Software Engineering and Secure Coding. In his free time he likes to spend time with his family, hike, and visit the beach.

Deliver off-the-chart results.

WordPress Video Lightbox Plugin