Integrate ZAP Scanning
Closed this issue · 4 comments
Integrate ZAP Scanning, starting with baseline scans.
- Integrate the report into SonarQube, separate from the code scanning results.
- Add badges to the main ReadMe
ToDo:
- Integrate the ZAP and Sonar scans into a clean pipeline consisting of;
- ZAP scan to generate the report.
- Sonar scan to register the results with SonarQube.
- Document the process.
The zap-sonar-plugin project allows you to integrate the results of ZAP scans into SonarQube.
The latest version of the pulg-in requires the latest LTS version, 6.7.5, of SonarQube. It is not compatible with version 7.x yet (there is a ticket in for support).
Trial run:
- Upgraded SonarQube to 6.7.5.
- Installed the sonar-zap-plugin-1.1.2
- Captured the xml report from a ZAP scan of TOB.
- Ran a manual cli Sonar scan on a directory containing just the report.
C:\tmp\Zap Test>..\..\sonar-scanner-3.2.0.1227-windows\bin\sonar-scanner.bat -Dsonar.projectName=TheOrgBook-Zap -Dsonar.projectKey=TheOrgBook-Zap -Dsonar.sources=. -Dsonar.host.url=https://sonarqube-devex-von-tools.pathfinder.gov.bc.ca -Dsonar.zaproxy.reportPath="c:\tmp\Zap Test\zap-report.xml"
- Results can be found here; https://sonarqube-devex-von-tools.pathfinder.gov.bc.ca/dashboard?id=TheOrgBook-Zap
The process requires a ZAP scan to be run to generate an xml formatted ZAP report, and then a SonaQube scan be run with the sonar.zaproxy.reportPath set to the location of the report.
ZAP baseline scanning is now wired into the build pipeline for tob-web.
When tob-web builds and deploys the pipeline waits for the deployment to DEV to complete and then trigger a ZAP scan on it.
The ZAP Scan is implemented as a separate pipeline which performs the scan and publishes the results to SonarQube.
There are quality badges for the ZAP scan integrated in the ReadMe file which link to the live reports in SonarQube.
Documentation can be found here; https://github.com/BCDevOps/sonarqube