diff --git a/Dockerfile b/Dockerfile index 7e9b33c..c9a7c7e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,11 @@ FROM owasp/zap2docker-stable:latest -# Copy in default tests -COPY tests /zap/wrk +# Copy in default test configuration +COPY gen.conf /zap/wrk -CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"] \ No newline at end of file +# Install default/autotest configuration and mount +VOLUME ["/src"] +WORKDIR /src +COPY pages.txt /src/ + +CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"] diff --git a/README.md b/README.md index 34538b7..05d2ce8 100644 --- a/README.md +++ b/README.md @@ -1 +1,7 @@ -# ci-zap \ No newline at end of file +# Docker Image for OWASP ZAP + +Learn more about OWASP ZAP: + * [OWASP ZAP core documentation](https://github.com/zaproxy/zaproxy) + * [Zap Baseline scan options](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan) + * [Zap Docker documentation](https://github.com/zaproxy/zaproxy/wiki/Docker) + diff --git a/gen.conf b/gen.conf new file mode 100644 index 0000000..70351b1 --- /dev/null +++ b/gen.conf @@ -0,0 +1,43 @@ +# zap-baseline rule configuration file +# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches +# Only the rule identifiers are used - the names are just for info +# You can add your own messages to each rule by appending them after a tab on each line. +10010 WARN (Cookie No HttpOnly Flag) +10011 WARN (Cookie Without Secure Flag) +10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set) +10016 WARN (Web Browser XSS Protection Not Enabled) +10017 IGNORE (Cross-Domain JavaScript Source File Inclusion) +10019 WARN (Content-Type Header Missing) +10020 WARN (X-Frame-Options Header Scanner) +10021 WARN (X-Content-Type-Options Header Missing) +10023 WARN (Information Disclosure - Debug Error Messages) +10024 WARN (Information Disclosure - Sensitive Informations in URL) +10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header) +10026 WARN (HTTP Parameter Override) +10027 WARN (Information Disclosure - Suspicious Comments) +10032 WARN (Viewstate Scanner) +10040 WARN (Secure Pages Include Mixed Content) +10055 IGNORE (CSP Scanner) +10038 IGNORE (Content Security Policy (CSP) Header Not Set) +10105 WARN (Weak Authentication Method) +10202 WARN (Absence of Anti-CSRF Tokens) +2 WARN (Private IP Disclosure) +3 WARN (Session ID in URL Rewrite) +50001 WARN (Script Passive Scan Rules) +90001 WARN (Insecure JSF ViewState) +90011 WARN (Charset Mismatch) +90022 WARN (Application Error Disclosure) +90030 WARN (WSDL File Passive Scanner) +90033 WARN (Loosely Scoped Cookie) + +# Ignore no-cache header warnings on TLS +10015 IGNORE (Incomplete or No Cache-control and Pragma HTTP Header Set) + +# Ignore cached pages that don't initiate a session and don't need CSRF tokens. +# Commenting them out as they are Drupal-specific, and we want a flag to enable them. +#10202 OUTOFSCOPE http://web/ +#10202 OUTOFSCOPE http://web +#10202 OUTOFSCOPE http://web/user/login +#10202 OUTOFSCOPE http://web/user/password +#90022 OUTOFSCOPE http://web/user/login +#10016 OUTOFSCOPE http://web/sitemap.xml diff --git a/pages.txt b/pages.txt new file mode 100644 index 0000000..b498fd4 --- /dev/null +++ b/pages.txt @@ -0,0 +1 @@ +/