Back
Featured image of post Make cloud base ZAP Scanning Environment Using github-action

Make cloud base ZAP Scanning Environment Using github-action

Hi hackers and bugbounty hunters :D Today, I talk about building a github-action-based ZAP scanning environment. As you know, there is no time limit for public repo, so you can configure a cloud-based vulnerability scanner for free πŸ˜‰

μ €λŠ” 보톡 개인적인 μž‘μ—… μ‹œ ν™ˆμ„œλ²„μ˜ ZAP을 μŠ€μΊλ„ˆλ‘œ 많이 μ‚¬μš©ν•©λ‹ˆλ‹€. λ‹€λ§Œ ZAP의 μŠ€μΊ”λŸ‰μ΄ λ§Žμ•„μ§€λŠ” 경우 μ„œλ²„ 피씨가 ꡉμž₯히 νž˜λ“€μ–΄ν•˜λŠ”κ±Έ 느끼고 μžˆμ–΄, κ°€λŠ₯ν•œ ZAP μŠ€μΊλ‹λ„ ν΄λΌμš°λ“œ ν™˜κ²½μœΌλ‘œ λ„˜κ²¨λ³΄λ €κ³  ν–ˆμ—ˆμŠ΅λ‹ˆλ‹€. (μ΄λŠ” 벌써 2λ…„μ „λΆ€ν„° λΉ„μš©μ„ μ΅œμ†Œν™”ν•˜λŠ” 방법듀을 μ°Ύκ³ μžˆμ—ˆλ„€μš”. λŒ€ν‘œμ μœΌλ‘œ heroku…)

μ•„λ¬΄νŠΌ 졜근 github action μͺ½μœΌλ‘œ μž‘μ—…μ„ 많이 ν•˜κ³ μžˆλŠ”λ°, λ³΄λ‹€λ³΄λ‹ˆ 취약점 μŠ€μΊλ‹ μž‘μ—…μ„ CI/CD DAST의 λͺ©μ μ΄ μ•„λ‹Œ, λ‹¨μˆœν•œ 맀뉴얼 μŠ€μΊλ„ˆλ‘œλ„ μ“Έ 수 μžˆμ„ 것 κ°™μ•„μ„œ κΈ€λ‘œ μž‘μ„±ν•΄λ΄…λ‹ˆλ‹€.

What is Github Actions(workflow)

Github action is automate, customize, and execute software development workflows right in repository. Can discover, create, and share actions to perform any job you’d like, including CI/CD, and combine actions in a completely customized workflow.

Github action은 githubμ—μ„œ μ œκ³΅ν•˜λŠ” CI/CDλ₯Ό μœ„ν•œ μžλ™ν™” ν™˜κ²½μž…λ‹ˆλ‹€. workflow 파일둜 μˆ˜ν–‰ν•  μ•‘μ…˜κ³Ό 쑰건을 λͺ…μ‹œν•˜λ©΄ ν•΄λ‹Ή 쑰건이 트리거될 λ•Œ μ˜λ„ν•œ μ•‘μ…˜(λΉŒλ“œ/배포/ν…ŒμŠ€νŒ… λ“±λ“±)이 μˆ˜ν–‰λ©λ‹ˆλ‹€.

ZAP workflow for CI/CD DAST Scanning

ZAP, the representative of DAST, is also adding and managing github action. Typically, it is divided into baseline scan and fullscan.

DAST의 λŒ€ν‘œμ£ΌμžμΈ ZAP은 github action λ˜ν•œ μΆ”κ°€ν•˜κ³  κ΄€λ¦¬μ€‘μž…λ‹ˆλ‹€. λŒ€ν‘œμ μœΌλ‘œ baseline scanκ³Ό fullscan으둜 λ‚˜λ‰˜μ–΄μ Έ μžˆμŠ΅λ‹ˆλ‹€.

How? manually scanning

Github action is designed to work only under certain conditions, such as push, pull request, and cron. However, if using workflow_dispatch, can manual workflow triggers.

기본적으둜 github action은 push, pull request 및 cron λ“± νŠΉμ • μ‘°κ±΄μ—μ„œλ§Œ λ™μž‘ν•˜λ„λ‘ μ„€κ³„λ˜μ–΄ μžˆμŠ΅λ‹ˆλ‹€. κ·Έλ ‡μ§€λ§Œ workflow_dispatchλΌλŠ”κ±Έ μ§€μ›ν•΄μ£Όλ©΄μ„œ, λ§€λ‰΄μ–Όν•œ workflow νŠΈλ¦¬κ±°λ„ κ°€λŠ₯ν•©λ‹ˆλ‹€.

https://www.hahwul.com/2020/10/18/how-to-trigger-github-action-manually

Test ZAP Manual Scanning in git-action

My testing git repository

Make workflow file

Workflow file(.github/workflow/zap-scan.yml)

name: ZAP-SCAN
on:
   schedule:
     - cron: '0 2 * * sun' #
   workflow_dispatch:
      inputs:
         target:
            description: 'target URL'     
            required: true
            default: ''

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: main
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.4.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: "${{ github.event.inputs.target }}"
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
  • workflow_dispatch: for manually
  • workflow_dispatch/inputs: value and parameter
  • jobs/zap_scan: zap scanning

Run git-action with parameter

Your repo > Actions > Your action name > Run workflow > Input parameter and run workflow

1414

Running..

1415

Finish

When finished, the results are registered as an issue.

μ™„λ£Œλ˜λ©΄ κ²°κ³ΌλŠ” issue둜 λ“±λ‘λ©λ‹ˆλ‹€. 1416

Referneces