Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added default warning config and setup. #1

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Added default warning config and setup. #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7b7fd69
Added default warning config and setup.
synterra Dec 30, 2019
c332483
Set gen.conf to baseline config.
synterra Jan 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
FROM owasp/zap2docker-stable:latest

# Copy in default tests
COPY tests /zap/wrk
# Copy in default test configuration
COPY gen.conf /zap/wrk

CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"]
# Install default/autotest configuration and mount
VOLUME ["/src"]
WORKDIR /src
COPY pages.txt /src/

CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web", "-c", "gen.conf"]
8 changes: 7 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,7 @@
# ci-zap
# Docker Image for OWASP ZAP

Learn more about OWASP ZAP:
* [OWASP ZAP core documentation](https://github.com/zaproxy/zaproxy)
* [Zap Baseline scan options](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan)
* [Zap Docker documentation](https://github.com/zaproxy/zaproxy/wiki/Docker)

30 changes: 30 additions & 0 deletions gen.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# zap-baseline rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
synterra marked this conversation as resolved.
Show resolved Hide resolved
10010 WARN (Cookie No HttpOnly Flag)
10011 WARN (Cookie Without Secure Flag)
10012 WARN (Password Autocomplete in Browser)
10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set)
10016 WARN (Web Browser XSS Protection Not Enabled)
10017 WARN (Cross-Domain JavaScript Source File Inclusion)
10019 WARN (Content-Type Header Missing)
10020 WARN (X-Frame-Options Header Scanner)
10021 WARN (X-Content-Type-Options Header Missing)
10023 WARN (Information Disclosure - Debug Error Messages)
10024 WARN (Information Disclosure - Sensitive Informations in URL)
10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header)
10026 WARN (HTTP Parameter Override)
10027 WARN (Information Disclosure - Suspicious Comments)
10032 WARN (Viewstate Scanner)
10040 WARN (Secure Pages Include Mixed Content)
10105 WARN (Weak Authentication Method)
10202 WARN (Absence of Anti-CSRF Tokens)
2 WARN (Private IP Disclosure)
3 WARN (Session ID in URL Rewrite)
50001 WARN (Script Passive Scan Rules)
90001 WARN (Insecure JSF ViewState)
90011 WARN (Charset Mismatch)
90022 WARN (Application Error Disclosure)
90030 WARN (WSDL File Passive Scanner)
90033 WARN (Loosely Scoped Cookie)
1 change: 1 addition & 0 deletions pages.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/