ZA proxy Integrate with jenkins

Integrate ZAP with Jenkins

STEP 1: ZAP Jenkins Plugin
To integrate ZAP with Jenkins, you’ll first need the ZAP Jenkins plugin. You can get that under Manage Jenkins -> Manage Plugins. Install OWASP ZAP Official plugin under Available Tab.

STEP 2: Installing ZAP Locally
Under Manage Jenkins -> Global Tool Configuration, click on Custom Tool installation. Under Custom tool Section; provide OWASP ZAP tar downloadable link and the directory name.
Note: If you do not have the Custom Tool Installation option, you need to download a plugin called “Custom Tool Installation”. To get that, follow the same process as in Step 1

STEP 3: Running ZAP on Jenkins
By now, you should have ZAP and its plugin. Moving forward, you’ll need to configure two essential things; namely, the ZAP host and port. Go to Manage Jenkins -> Configure System and fill the ZAP HOST and Port field under the ZAP section.

STEP 4: Create New Project
Click New Item and create a new Job as Freestyle Project. Click OK

STEP 5: Save Project
Click Save without making any configuration changes for the Job.

STEP 6: Create Workspace
Click Build Now to create a workspace on the master machine. 

STEP 7: Execute ZAP
Go to ZAP Project Configure Page. Click Configure | Select Build Environment. Check the Install Custom Tools option, and select the ZAP tool.

STEP 8: Execute ZAP
Select Build Tab under project configurations | Click Add build step | Select Execute ZAP

STEP 9.1: Installing ZAP
Use the Installation Method option to specify how ZAP will be installed on the master machine and specify the absolute location of the ZAP Home Directory where would you like to create, or you can specify.ZAP as a relative path for ZAP Home Directory. It will automatically create the.ZAP folder on the Jenkins Custom Tools Directory (/var/lib/Jenkins/tools/../.ZAP/)

Note: If you specified a custom path for ZAP Home Directory, make sure Jenkins has the needed permission to create a directory on the specified path. For Example: If the Jenkins user does not have permission to create a directory on /home/, you’ll have to create the directory manually and change the owner of the folder to the Jenkins user.

STEP 9.2: Find ZAP Installation Directory
If you already had ZAP, select the “System Installed: ZAP Installation Directory” option, and let the environment variable input remain default.

Now, specify the ZAP installed path for the environment variable (ZAPROXY_HOME).

9.2.1: Go to Manage Jenkins -> Configure System and Select Environment variable checkbox under Global Properties. Click Add
9.2.2: Enter the name as ZAPROXY_HOME and give the value as ZAP installed path. In this example, it would be the path /opt/zaproxy. Save the changes.

Then continue with your ZAP Configuration. Under ZAP Home Directory, provide the path along with “.ZAP”. (ZAP Home Directory is already created while running the ZAP for the first time in your local machine. In this example it would be /home/umar/.ZAP)

STEP 10: Testing
So far, you’ve connected ZAP with Jenkins and configured it such that ZAP is triggered during the build process. Now, you need to provide information on the application or URL that needs testing. This part is still done under the BUILD tab.
10.1: For that, you would need to create Persist session in ZAP under the Session Management section.
10.2: Next, you’ll need to provide the application name and URL under Session Properties Options in a regex format. Under the Include in Context, supply the URL. Under the Exclude in Context, you should provide the parameter that does not need an active scan or spidering.

STEP 11: Attack Mode
Under the Attack Mode section of the build tab, enter the URL in Starting Point field for spidering the application, and select the Spider scan option. Let the rest under this section remain default. Enable the Active Scan checkbox and select the Policy from the dropdown list. If you don’t have any options in the dropdown list, which will be the case if it’s your first time running ZAP, it will consider the Default Policy for the active scan.

STEP 12: Generate Report
Tick Generate Report check box and provide all information to generate the report in HTML and XML Format. You need to give a unique filename for every iteration of scans.

STEP 13: Post-build Actions
Under Post-build Actions:
13.1: Click Add Post-Build Action, and select Archive the artifacts. In the input field under the Archive, the Artifacts, add the following directories, which should be separated by commas
13.2: click Add Post-Build Action, and select Publish HTML Reports. Then, click Add, and input the directory where the HTML reports are stored. Under the Index page input field, specify the file’s name as used in step 12, along with extension .html. In this example, use 
 
STEP 14: Complete Build
Click on Save and Click Build Now. Once the build is completed, you can view the HTML Report on Job Dashboard and other archived files from the workspace.
 
STEP 15: Build Triggers
Go to ZAP Project, click Configure and select the Build trigger tab. Under the Build Trigger section, select one of the options which preferable for the CI/CD Pipeline.




Recent Comments

No comments

Leave a Comment