Docker build file creating a image of a box containing web application security scanners.
Final goal is to use the docker image in order to integrate security web application security scanners into a Continuous Integration Platform.
Free and open sources scanners with Docker has been used in order to enable possibility to add a first level of security validation (surface) on project that don't have the budget to buy commercial suite.
Sources:
- Personal XP on web app dev projects,
- Source n°1,
- Source n°2.
A automated build has been defined on Docker forge in order to build and push image in Docker Hub repository
You must install Docker on your target system (for example on the CIP host).
Web application scanners has been choosen according to their capacity and also possibility on use them entirely from a single command line.
All scanners has been installed in parent folder /usr/local.
docker run --rm=true -i -t righettod/webappsecscanbox /bin/bash
In command below we mount the path /tmp/work of the container to the path /tmp/scanner/work/xxx (where xxx is the scanner name) of the host (CIP host) in order to write reports on host storage.
docker run --rm=true -v /tmp/work:/tmp/scanner/work/arachni -t righettod/webappsecscanbox /usr/local/arachni/bin/arachni [OPTIONS] http://myapp --report-save-path=/tmp/scanner/work/arachni/report.afr
docker run --rm=true -v /tmp/work:/tmp/scanner/work/wapiti -t righettod/webappsecscanbox python2.7 /usr/local/wapiti/bin/wapiti http://myapp [OPTIONS] --output /tmp/scanner/work/wapiti
docker run --rm=true -v /tmp/work:/tmp/scanner/work/skipfish -t righettod/webappsecscanbox /usr/local/skipfish/skipfish [OPTIONS] -o /tmp/scanner/work/skipfish http://myapp