1

Company wants to start improving security. Test team uses OWASP Zap tool (GUI version) to scan the new version for vulnerabilities. That usually takes between half an hour to 90 minutes.

How to include the scan in a CI/CD in a way it is fast (under 5 mins) but still provides a feedback?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Mate Mrše
  • 113
  • 4
  • Why do you want to use Zap, in particular, in your pipeline? Why not use a tool that can provide what you want in the timeframe you want? – schroeder Nov 09 '21 at 13:45
  • @schroeder Are you going to suggest one that will provide the same features as ZAP but magically does it in a fraction of the time? :) – Simon Bennetts Nov 09 '21 at 13:55
  • @SimonBennetts ... no ... but a proxy scan in a pipeline does not seem like the correct tool to use ... – schroeder Nov 09 '21 at 13:58
  • @schroeder We are looking for a starting point, and Zap seems like a good fit: it is free, and team members are somewhat familiar with it. – Mate Mrše Nov 09 '21 at 14:10
  • Exactly, and the baseline scan only takes a minute or 2. But if thats too long then its not for you... – Simon Bennetts Nov 09 '21 at 15:56

1 Answers1

2

Scanning for vulnerabilities takes time. If you want any tool to perform a thorough active scan of your site then it will take time.

However you can use the ZAP baseline scan which just does a one min spider of your site (by default) and then performs passive scanning - https://www.zaproxy.org/docs/docker/baseline-scan/ - this will pick up things like missing security headers and missing anti CSRF tokens.

You can still perform a full ZAP scan on a scheduled basis, for example once a week.

Simon Bennetts
  • 1,390
  • 7
  • 10