Skip to content

OWASP ZAP / Zaproxy

Zaproxy is a widely used, open source security testing tool. It is intended to be used by both those new to application security as well as professional penetration testers.

We specifically support the Zaproxy output!

Set up Zaproxy in Gitlab

  • To set up a Zaproxy CI in Gitlab you will need a Gitlab account and a Gitlab project.

Gitlab project

  • You will also need a Gitlab personal access token.

    • You can create your access token by clicking on your avatar in the upper-right corner and select Settings
    • Click on Access Tokens in the left menu
    • Choose a name and optional expiry date for the token
    • For scope select API
    • Click the Create personal access token button
    • Once you leave or refresh the page, you won’t be able to see your token again so copy it somewhere save
  • To push your result to Calliope you will need a account on Calliope.pro too.

  • Create a new .gitlab-ci.yml file in the root of your project, copy the example gitlab job from below and update the following with your own values:

    HOME_URL (the website you want to have scanned)

    API_KEY (your Calliope API key)

    PROFILE_ID (the Calliope profile ID)

  • Save the .gitlab-ci file and start a testrun

  • Link the Calliope project with the gitlab job (see: Calliope GitLab Integration )

Example

run-security-test:
  image: owasp/zap2docker-stable
  variables:
    HOME_URL: "https://www.calliope.pro"
    API_KEY: YOUR_API_KEY
    PROFILE_ID: YOUR_PROFILE_ID
  allow_failure: true
  script:
  - mkdir /zap/wrk/
  - /zap/zap-baseline.py -x security-report.xml -t $HOME_URL || true
  - cp /zap/wrk/security-report.xml .
  - curl -X POST -H "x-api-key:$API_KEY" -H "Content-Type:multipart/form-data" -F "file[]=@path/to/testresult" https://app.calliope.pro/api/v2/profile/$PROFILE_ID/import/zaproxy
  artifacts:
    paths: [security-report.xml]
  when: manual

Improve this documentation

Do have more information on setting up Zaproxy or how to put it in a different pipeline like Jenkins or Travic CI? Let us know!