Create a pipeline to DAST scan the application
- I have the web application running and i need to perform DAST scan.
- The opensource tool which can perform DAST Scan is OWASP-ZAP
- Installing OWASP ZAP on Linux
- Download the linux package Refer Here
- ubuntu
sudo apt install owasp-zap - Refer Here for package manager based installation.
- Refer Here for the owaspzap commandline
- Below are the jenkins screen shots
- Now build the project and view the html report
SAST, SCA, Secrets SCAN
- Lets check for the source code not to have secrets
- For this lets use trufflehog Refer Here
- Downloading the latest version into the linux instance Refer Here
- We will be using trufflehog if your organization will use a code repository which doesnot have secret scan.
- use
trufflehog git --helptrufflehog github --help
- For SCA or dependency of python applications we can use safety Refer Here
- FOR SAST scan on python code we can use bandit Refer Here
- For scanning docker images there are lot of third party tools like
- sysdig Refer Here
- Anchore Refer Here
