GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → simplyzee → kube-owasp-zap

simplyzee / kube-owasp-zap

Licence: Apache-2.0 License
Owasp Zap chart for Kubernetes

Programming Languages

Mustache
554 projects

Labels

kuberneteszapowasp

Projects that are alternatives of or similar to kube-owasp-zap

Zaproxy
The OWASP ZAP core project
Stars: ✭ 9,078 (+23789.47%)
Mutual labels:  zap, owasp
zap-sonar-plugin
Integrates OWASP Zed Attack Proxy reports into SonarQube
Stars: ✭ 66 (+73.68%)
Mutual labels:  zap, owasp
www-project-zap
OWASP Zed Attack Proxy project landing page.
Stars: ✭ 52 (+36.84%)
Mutual labels:  zap, owasp
training-application-security
This repository for training application security.
Stars: ✭ 25 (-34.21%)
Mutual labels:  owasp
dependency-check-plugin
Jenkins plugin for OWASP Dependency-Check. Inspects project components for known vulnerabilities (e.g. CVEs).
Stars: ✭ 107 (+181.58%)
Mutual labels:  owasp
cyclonedx-php-composer
Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
Stars: ✭ 20 (-47.37%)
Mutual labels:  owasp
cyclonedx-maven-plugin
Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
Stars: ✭ 103 (+171.05%)
Mutual labels:  owasp
webdriverio-zap-proxy
Demo - how to easily build security testing for Web App, using Zap and Glue
Stars: ✭ 58 (+52.63%)
Mutual labels:  owasp
CIS-Ubuntu-20.04-Ansible
Ansible Role to Automate CIS v1.1.0 Ubuntu Linux 18.04 LTS, 20.04 LTS Remediation
Stars: ✭ 150 (+294.74%)
Mutual labels:  owasp
go2sky-plugins
The plugins of go2sky
Stars: ✭ 46 (+21.05%)
Mutual labels:  zap
cwe-sdk-javascript
A Common Weakness Enumeration (CWE) Node.js SDK compliant with MITRE / CAPEC
Stars: ✭ 18 (-52.63%)
Mutual labels:  owasp
OWASP-Calculator
🧮 An online calculator to assess the risk of web vulnerabilities based on OWASP Risk Assessment
Stars: ✭ 109 (+186.84%)
Mutual labels:  owasp
ftw
Framework for Testing WAFs (FTW!)
Stars: ✭ 106 (+178.95%)
Mutual labels:  owasp
aks-baseline-regulated
This is the Azure Kubernetes Service (AKS) baseline cluster for regulated workloads reference implementation as produced by the Microsoft Azure Architecture Center.
Stars: ✭ 73 (+92.11%)
Mutual labels:  owasp
containers-security-project
A place for documenting threats and mitigations related to containers orchestrators (Kubernetes, Swarm etc)
Stars: ✭ 25 (-34.21%)
Mutual labels:  owasp
www-project-vulnerable-web-applications-directory
The OWASP Vulnerable Web Applications Directory (VWAD) Project - OWASP Web Site
Stars: ✭ 10 (-73.68%)
Mutual labels:  owasp
cyclonedx-python
Creates CycloneDX Software Bill of Materials (SBOM) from Python projects and environments.
Stars: ✭ 78 (+105.26%)
Mutual labels:  owasp
owasp-zap-jwt-addon
OWASP ZAP addon for finding vulnerabilities in JWT Implementations
Stars: ✭ 23 (-39.47%)
Mutual labels:  owasp
Software-Component-Verification-Standard
Software Component Verification Standard (SCVS)
Stars: ✭ 82 (+115.79%)
Mutual labels:  owasp
vapi
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
Stars: ✭ 674 (+1673.68%)
Mutual labels:  owasp
View All Similar Projects ➔

kube-owasp-zap

Introduction

kube-owasp-zap is an owasp-zap solution for Kubernetes. It allows you to perform a vulnerability analysis on a host using Kubernetes as the platform. It creates a Job that deploys a pod that will scan the host for any vulnerabilities.

Setup

The following shows how to perform an owasp-zap scan using Kubernetes. There are two ways to deploy. Either use this Github project (Option A) or use a Helm repository (Option B) which is a little easier.

This project runs the owasp-zap tool as a Kubernetes job. Each job needs to have a unique name. That's why the name is uniquified using a timestamp.

Kubernetes jobs are not automatically reaped so that you can still see their logs when they are complete. It this case, that is good because the result of the owasp-zap scan are in the logs.

Prequisite

  • Create a namespace.
kubectl apply -f -<<EOF
apiVersion: v1
kind: Namespace
metadata:
    name: owasp-zap
    labels:
        name: owasp-zap
EOF
  • Assign the URL to scan. Since ibm.com is used, the spidering and recursive scanning has been turned off.
export URL_TO_SCAN="http://nodegoat.herokuapp.com"

Option A - Deploy With GibHub Project

  • Deploy the kube-owasp-zap chart with the values set for type of scan and target host.
> helm install "vuln-scan-$(date '+%Y-%m-%d-%H-%M-%S')-job" ./kube-owasp-zap \
    --namespace owasp-zap \
    --set zapcli.debug.enabled=true \
    --set zapcli.spider.enabled=false \
    --set zapcli.recursive.enabled=false \
    --set zapcli.targetHost=$URL_TO_SCAN

Option B - Using Using Helm

  • Add the Helm repository. Then install the chart.
> helm repo add simplyzee https://charts.simplyzee.dev

> helm install "vuln-scan-$(date '+%Y-%m-%d-%H-%M-%S')-job" implyzee/kube-owasp-zap \
    --namespace owasp-zap \
    --set zapcli.debug.enabled=true \
    --set zapcli.spider.enabled=false \
    --set zapcli.recursive.enabled=false \
    --set zapcli.targetHost=$URL_TO_SCAN

This will deploy a Job that will deploy a pod on the Kubernetes platform that will perform the vulnerability scan.

Example of Job Output

  • Use the following command to view the list of jobs. Since the job names have a timestamp, we can use sort to force newer jobs to the end of the list.
> kubectl get jobs --namespace owasp-zap | grep -v "COMPLETIONS" | sort
vuln-scan-2020-03-20-11-10-17-job-kube-owasp-zap   1/1           22s        6m53s
vuln-scan-2020-03-20-10-46-14-job-kube-owasp-zap   1/1           33s        30m
  • Use the following command to view the logs of a job.
> kubectl logs jobs/vuln-scan-2020-03-20-11-10-17-job-kube-owasp-zap --namespace owasp-zap
[INFO]            Starting ZAP daemon
[DEBUG]           Starting ZAP process with command: /zap/zap.sh -daemon -port 8080 -config api.disablekey=true.
[DEBUG]           Logging to /zap/zap.log
[DEBUG]           ZAP started successfully.
[INFO]            Running a quick scan for http://nodegoat.herokuapp.com
[DEBUG]           Disabling all current scanners
[DEBUG]           Enabling scanners with IDs 40012,40014,40016,40017,40018
[DEBUG]           Scanning target https://www.ibm.com...
[DEBUG]           Started scan with ID 0...
[DEBUG]           Scan progress %: 0
[DEBUG]           Scan #0 completed
[INFO]            Issues found: 0
[INFO]            Shutting down ZAP daemon
[DEBUG]           Shutting down ZAP.
[DEBUG]           ZAP shutdown successfully.

Roadmap

Still a lot of work around platform improvements with Kubernetes but it utilises the Kubernetes platform well to scan sites from a vulnerability analysis perspective.

Ideas to implement:

  • Easier way of viewing scanning analysis
  • Zap CLI to be more configurable as a tool on the k8s platform

Contributing

Please raise an issue or pull request if you have any issues, questions or features.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].