Running Selenium Jenkins, through OWASP ZAP, before scanning

Question

I suspect that what I am trying to do is something that has been done before. Hopefully, this is possible and someone knows how its done. Any information would be greatly appreciated.

I am attempting to run both Selenium and OWASP ZAP in the same job in Jenkins. Essentially, I want Jenkins to start ZAP, run the Selenium tests while using ZAP as a proxy, and then start a ZAP scan using the locations provided by Selenium.

I found some instructions, which appeared like they would be a helpful, on the Jenkins site at https://wiki.jenkins.io/display/JENKINS/Execute+ZAP+as+part+of+a+Selenium+Build .

Unfortunately, the article says in two apparently opposing things in two separate places. First, "The Selenium build step must be placed before the Execute ZAP build step." Second, "Run [ZAP] as Pre-Build Step". So do I start ZAP first or run Selenium first?

It seems obvious that I must first start ZAP, leave it running while Selenium does its thing, and then perform the scan. Unfortunately, the "Execute ZAP" step from the "Official OWASP ZAP Jenkins Plugin" appears to execute only as a discrete step. After it starts, it must finish before any other steps are executed. Is there a way I can get ZAP to keep running until after Selenium completes?

Answer 1

I solved my problem. There is a way to start ZAP in Jenkins, then run the selenium process and then perform the ZAP scan.

The instructions explained how. I just misread them.

It was correct that I was supposed to place Selenium before Jenkins. What I was supposed to do was to start the Selenium tests in the "Build" section. I then add "Execute ZAP" as a "Post Step". In the "Execute ZAP" settings, however, there is a "Startup" section. In that section, I check "Run as Pre-Build Step".

That simple. Jenkins sees that I checked "Run as Pre-Build Step" and executes the ZAP startup as a pre-build step, but performs the actual commands as a post-build step.

So, the documentation said it exactly as it should have been said. I just misunderstood it, going so far as to quote the misunderstood sections in my original question.