Using ZAP with Azure DevOps Pipelines (Part 1)
This blog post will show you how to integrate ZAP with Azure DevOps Pipelines. We will use the same example we used in https://augment1security.com/cicd/cicd-with-owasp-zap-docker-and-pipeline-scripting-part-1/. Please read this first to get some background information.
Prerequisites:
- Microsoft Account
- ZAP 2.10
- An understanding of YAML syntax
- YAML editor (e.g.Microsoft Visual Studio)
- Git installed
Before we go into the actual pipeline yaml, there are a few things to take note. We define the setup and scan as a single job instead of breaking up into stages or different jobs. This is because by default, jobs run on the host machine where the agent is installed and if we split up the setup and scan into multiple jobs, they can run in different hosts which is not what we want as we want them to be connected to the same user defined docker network.
Also, it might be beneficial to go through the reference links below at the same time we go through the pipeline yaml.
References
- YAML Schema Reference – https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema%2Cparameter-schema
- Single Job – https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#single-job
- Bash task – https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/bash?view=azure-devops
- Conditions – https://docs.microsoft.com/en-us/azure/devops/pipelines/process/conditions?view=azure-devops&tabs=yaml
- Publishing artifacts – https://docs.microsoft.com/en-us/azure/devops/pipelines/artifacts/pipeline-artifacts?view=azure-devops&tabs=yaml
- Logging commands – https://docs.microsoft.com/en-us/azure/devops/pipelines/scripts/logging-commands?view=azure-devops&tabs=bash
In this example, we are also using the Azure Repository feature to store our files just to simplify things. The code for this blog post is stored in Github (https://github.com/augmentonesecurity/dvwa_owasp_zap_config_azure_pipelines) which you can download and upload into your own Azure Repository.
The Setup
Assuming that we already have all the files in Azure Repo like below:
We first create the pipeline job.
We follow the wizard to select where our code resides.
Next we select the repository.
We select how we want to configure the pipeline.
We select the yaml file we have in our repository
Review the pipeline yaml file and run it.
You will see the job summary. Click on the job.
You will see the outline of the job. The Running baseline scan section failed as expected as there are vulnerabilities detected during the scan. Click on the 1 artifact link.
Take note also that even though it says that we have published 1 artifact, we have actually published 2 files – zap.log and testreport.html. You can download the files from here.
If you go back to the job summary, you will see the error that caused the build to fail.
Go to Part 2