DevOps Classroomnotes 24/Apr/2022

Create a pipeline to DAST scan the application

  • I have the web application running and i need to perform DAST scan.
  • The opensource tool which can perform DAST Scan is OWASP-ZAP
  • Installing OWASP ZAP on Linux
    • Download the linux package Refer Here
    • ubuntu sudo apt install owasp-zap
    • Refer Here for package manager based installation.
  • Refer Here for the owaspzap commandline
  • Below are the jenkins screen shots
    Preview
    Preview
  • Now build the project and view the html report
    Preview
    Preview

SAST, SCA, Secrets SCAN

  • Lets check for the source code not to have secrets
    • For this lets use trufflehog Refer Here
    • Downloading the latest version into the linux instance Refer Here
    • We will be using trufflehog if your organization will use a code repository which doesnot have secret scan.
    • use trufflehog git --help trufflehog github --help
  • For SCA or dependency of python applications we can use safety Refer Here
    Preview
    Preview
  • FOR SAST scan on python code we can use bandit Refer Here
    Preview
    Preview
  • For scanning docker images there are lot of third party tools like

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner