Make cloud base ZAP Scanning Environment Using github-action

by hahwul 1 min read

Hi hackers and bugbounty hunters :D Today, I talk about building a github-action-based ZAP scanning environment. As you know, there is no time limit for public repo, so you can configure a cloud-based vulnerability scanner for free ๐Ÿ˜‰

์ €๋Š” ๋ณดํ†ต ๊ฐœ์ธ์ ์ธ ์ž‘์—… ์‹œ ํ™ˆ์„œ๋ฒ„์˜ ZAP์„ ์Šค์บ๋„ˆ๋กœ ๋งŽ์ด ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ZAP์˜ ์Šค์บ”๋Ÿ‰์ด ๋งŽ์•„์ง€๋Š” ๊ฒฝ์šฐ ์„œ๋ฒ„ ํ”ผ์”จ๊ฐ€ ๊ต‰์žฅํžˆ ํž˜๋“ค์–ดํ•˜๋Š”๊ฑธ ๋Š๋ผ๊ณ  ์žˆ์–ด, ๊ฐ€๋Šฅํ•œ ZAP ์Šค์บ๋‹๋„ ํด๋ผ์šฐ๋“œ ํ™˜๊ฒฝ์œผ๋กœ ๋„˜๊ฒจ๋ณด๋ ค๊ณ  ํ–ˆ์—ˆ์Šต๋‹ˆ๋‹ค. (์ด๋Š” ๋ฒŒ์จ 2๋…„์ „๋ถ€ํ„ฐ ๋น„์šฉ์„ ์ตœ์†Œํ™”ํ•˜๋Š” ๋ฐฉ๋ฒ•๋“ค์„ ์ฐพ๊ณ ์žˆ์—ˆ๋„ค์š”. ๋Œ€ํ‘œ์ ์œผ๋กœ herokuโ€ฆ)

์•„๋ฌดํŠผ ์ตœ๊ทผ github action ์ชฝ์œผ๋กœ ์ž‘์—…์„ ๋งŽ์ด ํ•˜๊ณ ์žˆ๋Š”๋ฐ, ๋ณด๋‹ค๋ณด๋‹ˆ ์ทจ์•ฝ์  ์Šค์บ๋‹ ์ž‘์—…์„ CI/CD DAST์˜ ๋ชฉ์ ์ด ์•„๋‹Œ, ๋‹จ์ˆœํ•œ ๋งค๋‰ด์–ผ ์Šค์บ๋„ˆ๋กœ๋„ ์“ธ ์ˆ˜ ์žˆ์„ ๊ฒƒ ๊ฐ™์•„์„œ ๊ธ€๋กœ ์ž‘์„ฑํ•ด๋ด…๋‹ˆ๋‹ค.

What is Github Actions(workflow)

Github action is automate, customize, and execute software development workflows right in repository. Can discover, create, and share actions to perform any job youโ€™d like, including CI/CD, and combine actions in a completely customized workflow.

Github action์€ github์—์„œ ์ œ๊ณตํ•˜๋Š” CI/CD๋ฅผ ์œ„ํ•œ ์ž๋™ํ™” ํ™˜๊ฒฝ์ž…๋‹ˆ๋‹ค. workflow ํŒŒ์ผ๋กœ ์ˆ˜ํ–‰ํ•  ์•ก์…˜๊ณผ ์กฐ๊ฑด์„ ๋ช…์‹œํ•˜๋ฉด ํ•ด๋‹น ์กฐ๊ฑด์ด ํŠธ๋ฆฌ๊ฑฐ๋  ๋•Œ ์˜๋„ํ•œ ์•ก์…˜(๋นŒ๋“œ/๋ฐฐํฌ/ํ…Œ์ŠคํŒ… ๋“ฑ๋“ฑ)์ด ์ˆ˜ํ–‰๋ฉ๋‹ˆ๋‹ค.

ZAP workflow for CI/CD DAST Scanning

ZAP, the representative of DAST, is also adding and managing github action. Typically, it is divided into baseline scan and fullscan.

DAST์˜ ๋Œ€ํ‘œ์ฃผ์ž์ธ ZAP์€ github action ๋˜ํ•œ ์ถ”๊ฐ€ํ•˜๊ณ  ๊ด€๋ฆฌ์ค‘์ž…๋‹ˆ๋‹ค. ๋Œ€ํ‘œ์ ์œผ๋กœ baseline scan๊ณผ fullscan์œผ๋กœ ๋‚˜๋‰˜์–ด์ ธ ์žˆ์Šต๋‹ˆ๋‹ค.

How? manually scanning

Github action is designed to work only under certain conditions, such as push, pull request, and cron. However, if using workflow_dispatch, can manual workflow triggers.

๊ธฐ๋ณธ์ ์œผ๋กœ github action์€ push, pull request ๋ฐ cron ๋“ฑ ํŠน์ • ์กฐ๊ฑด์—์„œ๋งŒ ๋™์ž‘ํ•˜๋„๋ก ์„ค๊ณ„๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ ‡์ง€๋งŒ workflow_dispatch๋ผ๋Š”๊ฑธ ์ง€์›ํ•ด์ฃผ๋ฉด์„œ, ๋งค๋‰ด์–ผํ•œ workflow ํŠธ๋ฆฌ๊ฑฐ๋„ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

https://www.hahwul.com/2020/10/18/how-to-trigger-github-action-manually

Test ZAP Manual Scanning in git-action

My testing git repository

Make workflow file

Workflow file(.github/workflow/zap-scan.yml)

name: ZAP-SCAN
on:
   schedule:
     - cron: '0 2 * * sun' #
   workflow_dispatch:
      inputs:
         target:
            description: 'target URL'     
            required: true
            default: ''

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: main
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.4.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: "${{ github.event.inputs.target }}"
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
  • workflow_dispatch: for manually
  • workflow_dispatch/inputs: value and parameter
  • jobs/zap_scan: zap scanning

Run git-action with parameter

Your repo > Actions > Your action name > Run workflow > Input parameter and run workflow

Running..

Finish

When finished, the results are registered as an issue.

์™„๋ฃŒ๋˜๋ฉด ๊ฒฐ๊ณผ๋Š” issue๋กœ ๋“ฑ๋ก๋ฉ๋‹ˆ๋‹ค.

Referneces