EN

Make cloud base ZAP Scanning Environment Using github-action

Hi hackers and bugbounty hunters :D Today, I talk about building a github-action-based ZAP scanning environment. As you know, there is no time limit for public repo, so you can configure a cloud-based vulnerability scanner for free ๐Ÿ˜‰

์ €๋Š” ๋ณดํ†ต ๊ฐœ์ธ์ ์ธ ์ž‘์—… ์‹œ ํ™ˆ์„œ๋ฒ„์˜ ZAP์„ ์Šค์บ๋„ˆ๋กœ ๋งŽ์ด ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ZAP์˜ ์Šค์บ”๋Ÿ‰์ด ๋งŽ์•„์ง€๋Š” ๊ฒฝ์šฐ ์„œ๋ฒ„ ํ”ผ์”จ๊ฐ€ ๊ต‰์žฅํžˆ ํž˜๋“ค์–ดํ•˜๋Š”๊ฑธ ๋Š๋ผ๊ณ  ์žˆ์–ด, ๊ฐ€๋Šฅํ•œ ZAP ์Šค์บ๋‹๋„ ํด๋ผ์šฐ๋“œ ํ™˜๊ฒฝ์œผ๋กœ ๋„˜๊ฒจ๋ณด๋ ค๊ณ  ํ–ˆ์—ˆ์Šต๋‹ˆ๋‹ค. (์ด๋Š” ๋ฒŒ์จ 2๋…„์ „๋ถ€ํ„ฐ ๋น„์šฉ์„ ์ตœ์†Œํ™”ํ•˜๋Š” ๋ฐฉ๋ฒ•๋“ค์„ ์ฐพ๊ณ ์žˆ์—ˆ๋„ค์š”. ๋Œ€ํ‘œ์ ์œผ๋กœ heroku...)

์•„๋ฌดํŠผ ์ตœ๊ทผ github action ์ชฝ์œผ๋กœ ์ž‘์—…์„ ๋งŽ์ด ํ•˜๊ณ ์žˆ๋Š”๋ฐ, ๋ณด๋‹ค๋ณด๋‹ˆ ์ทจ์•ฝ์  ์Šค์บ๋‹ ์ž‘์—…์„ CI/CD DAST์˜ ๋ชฉ์ ์ด ์•„๋‹Œ, ๋‹จ์ˆœํ•œ ๋งค๋‰ด์–ผ ์Šค์บ๋„ˆ๋กœ๋„ ์“ธ ์ˆ˜ ์žˆ์„ ๊ฒƒ ๊ฐ™์•„์„œ ๊ธ€๋กœ ์ž‘์„ฑํ•ด๋ด…๋‹ˆ๋‹ค.

What is Github Actions(workflow)

Github action is automate, customize, and execute software development workflows right in repository. Can discover, create, and share actions to perform any job you'd like, including CI/CD, and combine actions in a completely customized workflow.

Github action์€ github์—์„œ ์ œ๊ณตํ•˜๋Š” CI/CD๋ฅผ ์œ„ํ•œ ์ž๋™ํ™” ํ™˜๊ฒฝ์ž…๋‹ˆ๋‹ค. workflow ํŒŒ์ผ๋กœ ์ˆ˜ํ–‰ํ•  ์•ก์…˜๊ณผ ์กฐ๊ฑด์„ ๋ช…์‹œํ•˜๋ฉด ํ•ด๋‹น ์กฐ๊ฑด์ด ํŠธ๋ฆฌ๊ฑฐ๋  ๋•Œ ์˜๋„ํ•œ ์•ก์…˜(๋นŒ๋“œ/๋ฐฐํฌ/ํ…Œ์ŠคํŒ… ๋“ฑ๋“ฑ)์ด ์ˆ˜ํ–‰๋ฉ๋‹ˆ๋‹ค.

ZAP workflow for CI/CD DAST Scanning

ZAP, the representative of DAST, is also adding and managing github action. Typically, it is divided into baseline scan and fullscan.

DAST์˜ ๋Œ€ํ‘œ์ฃผ์ž์ธ ZAP์€ github action ๋˜ํ•œ ์ถ”๊ฐ€ํ•˜๊ณ  ๊ด€๋ฆฌ์ค‘์ž…๋‹ˆ๋‹ค. ๋Œ€ํ‘œ์ ์œผ๋กœ baseline scan๊ณผ fullscan์œผ๋กœ ๋‚˜๋‰˜์–ด์ ธ ์žˆ์Šต๋‹ˆ๋‹ค.

How? manually scanning

Github action is designed to work only under certain conditions, such as push, pull request, and cron. However, if using workflow_dispatch, can manual workflow triggers.

๊ธฐ๋ณธ์ ์œผ๋กœ github action์€ push, pull request ๋ฐ cron ๋“ฑ ํŠน์ • ์กฐ๊ฑด์—์„œ๋งŒ ๋™์ž‘ํ•˜๋„๋ก ์„ค๊ณ„๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ ‡์ง€๋งŒ workflow_dispatch๋ผ๋Š”๊ฑธ ์ง€์›ํ•ด์ฃผ๋ฉด์„œ, ๋งค๋‰ด์–ผํ•œ workflow ํŠธ๋ฆฌ๊ฑฐ๋„ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

https://www.hahwul.com/2020/10/18/how-to-trigger-github-action-manually

Test ZAP Manual Scanning in git-action

My testing git repository

Make workflow file

Workflow file(.github/workflow/zap-scan.yml)

name: ZAP-SCAN
on:
   schedule:
     - cron: '0 2 * * sun' #
   workflow_dispatch:
      inputs:
         target:
            description: 'target URL'
            required: true
            default: ''

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: main
      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.4.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: "${{ github.event.inputs.target }}"
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
  • workflow_dispatch: for manually
  • workflow_dispatch/inputs: value and parameter
  • jobs/zap_scan: zap scanning

Run git-action with parameter

Your repo > Actions > Your action name > Run workflow > Input parameter and run workflow

Running..

Finish

When finished, the results are registered as an issue.

์™„๋ฃŒ๋˜๋ฉด ๊ฒฐ๊ณผ๋Š” issue๋กœ ๋“ฑ๋ก๋ฉ๋‹ˆ๋‹ค.

Referneces

#sec #zap #dev