scanners/zap-advanced/examples/demo-bodgeit-scan-authenticated/scan.yaml from secureCodeBox/secureCodeBox

scanners/zap-advanced/examples/demo-bodgeit-scan-authenticated/scan.yaml
Summary

Maintainability

Test Coverage

Issues
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: zap-advanced-scan-config
data:
  2-zap-advanced-scan.yaml: |-

    # ZAP Contexts Configuration 
    contexts:
      # Name to be used to refer to this context in other jobs, mandatory
      - name: scb-bodgeit-context
        # The top level url, mandatory, everything under this will be included
        url: http://bodgeit.default.svc:8080/bodgeit/
        # An optional list of regexes to include
        includePaths:
          - "http://bodgeit.default.svc:8080/bodgeit.*"
        # An optional list of regexes to exclude
        excludePaths:
          - "http://bodgeit.default.svc:8080/bodgeit/logout.jsp"
          - ".*\\.js"
          - ".*\\.css"
          - ".*\\.png"
          - ".*\\.jpeg"
        # Auth Credentials for the scanner to access the application
        # Can be either basicAuth or a oidc token.
        # If both are set, the oidc token takes precedent
        authentication:
          # Currently supports "basic-auth", "form-based", "json-based", "script-based"
          type: "form-based"
          # basic-auth requires no further configuration
          form-based:
            loginUrl: "http://bodgeit.default.svc:8080/bodgeit/login.jsp"
            # must be escaped already to prevent yaml parser colidations 'username={%username%}&password={%password%}''
            loginRequestData: "username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D"
          # Indicates if the current Zap User Session is based on a valid authentication (loggedIn) or not (loggedOut)
          verification:
            isLoggedInIndicator: '\Q<a href="password.jsp">\E'
            isLoggedOutIndicator: '\QGuest user\E'
        users:
          - name: bodgeit-user-1
            username: test@thebodgeitstore.com
            password: password
            forced: true
        session:
          # Currently supports "scriptBasedSessionManagement", "cookieBasedSessionManagement", "httpAuthSessionManagement"
          type: "cookieBasedSessionManagement"

    # ZAP Spiders Configuration 
    spiders:
      - name: scb-bodgeit-spider
        # String: Name of the context to spider, default: first context
        context: scb-bodgeit-context
        # String: Name of the user to authenticate with and used to spider
        user: bodgeit-user-1
        # String: Url to start spidering from, default: first context URL
        url: http://bodgeit.default.svc:8080/bodgeit/
        # Int: Fail if spider finds less than the specified number of URLs, default: 0
        failIfFoundUrlsLessThan: 0
        # Int: Warn if spider finds less than the specified number of URLs, default: 0
        warnIfFoundUrlsLessThan: 0
        # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
        maxDuration: 3
        # Int: The maximum tree depth to explore, default 5
        maxDepth: 5
        # Int: The maximum number of children to add to each node in the tree                     
        maxChildren: 10
        # String: The user agent to use in requests, default: '' - use the default ZAP one               
        userAgent: "secureCodeBox / ZAP Spider"

    # ZAP ActiveScans Configuration 
    scanners:
      - name: scb-bodgeit-scan
        # String: Name of the context to attack, default: first context
        context: scb-bodgeit-context
        # String: Name of the user to authenticate with and used to spider
        user: bodgeit-user-1
        # String: Url to start scaning from, default: first context URL
        url: http://bodgeit.default.svc:8080/bodgeit/
        # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
        maxRuleDurationInMins: 3
        # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited          
        maxScanDurationInMins: 10
        # Int: The max number of threads per host, default: 2
        threadPerHost: 2
        # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
        delayInMs: 0
        # Bool: If set will add an extra query parameter to requests that do not have one, default: false
        addQueryParam: false
        # Bool: If set then automatically handle anti CSRF tokens, default: false
        handleAntiCSRFTokens: false
        # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false           
        injectPluginIdInHeader: false
        # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
        scanHeadersAllRequests: false
---
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
  name: "zap-authenticated-full-scan-bodgeit"
spec:
  scanType: "zap-advanced-scan"
  parameters:
    # target URL including the protocol
    - "-t"
    - "http://bodgeit.default.svc:8080/bodgeit/"
  volumeMounts:
    - name: zap-advanced-scan-config
      mountPath: /home/securecodebox/configs/2-zap-advanced-scan.yaml
      subPath: 2-zap-advanced-scan.yaml
      readOnly: true
  volumes:
    - name: zap-advanced-scan-config
      configMap:
        name: zap-advanced-scan-config