Hi hackers and bugbounty hunters :D Today, I talk about building a github-action-based ZAP scanning environment. As you know, there is no time limit for public repo, so you can configure a cloud-based vulnerability scanner for free π
μ λ λ³΄ν΅ κ°μΈμ μΈ μμ μ νμλ²μ ZAPμ μ€μΊλλ‘ λ§μ΄ μ¬μ©ν©λλ€. λ€λ§ ZAPμ μ€μΊλμ΄ λ§μμ§λ κ²½μ° μλ² νΌμ¨κ° κ΅μ₯ν νλ€μ΄νλκ±Έ λλΌκ³ μμ΄, κ°λ₯ν ZAP μ€μΊλλ ν΄λΌμ°λ νκ²½μΌλ‘ λκ²¨λ³΄λ €κ³ νμμ΅λλ€. (μ΄λ λ²μ¨ 2λ μ λΆν° λΉμ©μ μ΅μννλ λ°©λ²λ€μ μ°Ύκ³ μμλ€μ. λνμ μΌλ‘ heroku…)
μλ¬΄νΌ μ΅κ·Ό github action μͺ½μΌλ‘ μμ μ λ§μ΄ νκ³ μλλ°, 보λ€λ³΄λ μ·¨μ½μ μ€μΊλ μμ μ CI/CD DASTμ λͺ©μ μ΄ μλ, λ¨μν λ§€λ΄μΌ μ€μΊλλ‘λ μΈ μ μμ κ² κ°μμ κΈλ‘ μμ±ν΄λ΄ λλ€.
What is Github Actions(workflow)
Github action is automate, customize, and execute software development workflows right in repository. Can discover, create, and share actions to perform any job you’d like, including CI/CD, and combine actions in a completely customized workflow.
Github actionμ githubμμ μ 곡νλ CI/CDλ₯Ό μν μλν νκ²½μ λλ€. workflow νμΌλ‘ μνν μ‘μ κ³Ό 쑰건μ λͺ μνλ©΄ ν΄λΉ μ‘°κ±΄μ΄ νΈλ¦¬κ±°λ λ μλν μ‘μ (λΉλ/λ°°ν¬/ν μ€ν λ±λ±)μ΄ μνλ©λλ€.
ZAP workflow for CI/CD DAST Scanning
ZAP, the representative of DAST, is also adding and managing github action. Typically, it is divided into baseline scan and fullscan.
DASTμ λνμ£ΌμμΈ ZAPμ github action λν μΆκ°νκ³ κ΄λ¦¬μ€μ λλ€. λνμ μΌλ‘ baseline scanκ³Ό fullscanμΌλ‘ λλμ΄μ Έ μμ΅λλ€.
How? manually scanning
Github action is designed to work only under certain conditions, such as push, pull request, and cron. However, if using workflow_dispatch, can manual workflow triggers.
κΈ°λ³Έμ μΌλ‘ github actionμ push, pull request λ° cron λ± νΉμ 쑰건μμλ§ λμνλλ‘ μ€κ³λμ΄ μμ΅λλ€. κ·Έλ μ§λ§ workflow_dispatchλΌλκ±Έ μ§μν΄μ£Όλ©΄μ, λ§€λ΄μΌν workflow νΈλ¦¬κ±°λ κ°λ₯ν©λλ€.
https://www.hahwul.com/2020/10/18/how-to-trigger-github-action-manually
Test ZAP Manual Scanning in git-action
My testing git repository
Make workflow file
Workflow file(.github/workflow/zap-scan.yml
)
|
|
- workflow_dispatch: for manually
- workflow_dispatch/inputs: value and parameter
- jobs/zap_scan: zap scanning
Run git-action with parameter
Your repo
> Actions
> Your action name
> Run workflow
> Input parameter and run workflow
Running..
Finish
When finished, the results are registered as an issue.
μλ£λλ©΄ κ²°κ³Όλ issueλ‘ λ±λ‘λ©λλ€.