Trying to use ZAP (2.4.3) in a continuos integration (CI) setting. I can run ZAP as a daemon, run all my Selenium tests (in Java) by using ZAP as a proxy, and then being able to use the REST api calling htmlreport to get a final report of the Passive Scanner. This works fine, but I would like to also use the Active Scanner.
Using the Active Scanner in CI is mentioned several times in ZAP's documentation, but haven't found any working example or tutorial about it... does any exist?
What I would like to achieve is something like: Run Active Scanner on all the pages visited by the Selenium regression suite, once it is finished to run.
Trying to look at ZAP's REST api, but is mostly undocumented:
https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index
Ideally, it would be great to have something like:
- Start Active Scan asynchronously on all visited urls
- Poll to check if Active Scan run is completed
In the REST api it seems there is something related, but:
ascan/scanneeds an url as input. Could callcore/urlsto see what the Selenium tests have visited, but then how to set the right authentication (logging credential)? What if the order in which the urls are visited is important? What if a page is only accessable with a specific credential?- there is an
ascan/scanAsUser, but it is unclear howcontextIdanduserIdcan be retrieved from ZAP. A cumbersome workaround would be to modify the Selenium tests to write on disk the urls they visit and which logging/password credentials they are using, and then, once all tests are finished, to read from disk such info to call ZAP. Is there any simpler way?
