Security Testing with ZAP and GitHub Actions

Dynamic Application Security Testing (DAST) with OWASP Zap Scanner

PREREQUISITE

• GitHub Account
• Sample Website (https://techconnectweb.azurewebsites.net/). This Demo only for Education Purpose. Try at your own risk.

For this demo, I decided to use OWASP ZAP Full Scan.
You can find this at GitHub Marketplace.

Let Start the Demo

1. Go to Actions tab at your GitHub Repo.
2. Select set up a workflow yourself ->
3. Go to Marketplace, search for OWASP and Select OWASP ZAP Full Scan, and you will see the sample workflow snippet.
4. Modify the workflow snippet as below and replace with sample website URL. After modified, select Start commit.

name: zapfull-security-scan
on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:     
    - name: OWASP ZAP Full Scan
      uses: zaproxy/action-full-scan@v0.1.0
      with:
        target: "https://techconnectweb.azurewebsites.net/"

5.Go back to Actions tab, you will see the workflow In progress.

6.Select the build. The workflow in progress setup and scanning.

7.After complete scanning through OWASP ZAP, the report will generated in Issues tab.

8.For more details for OWASP ZAP Full Scan report, you can go back to the Actions tab, select the Artifacts zap_scan. After downloaded, you will see the OWASP Report as below.

References:
https://www.zaproxy.org/blog/2020-05-15-dynamic-application-security-testing-with-zap-and-github-actions/