https://github.com/lreimer/continuous-zapk8s
Continuous ZAP security tests on K8s.
https://github.com/lreimer/continuous-zapk8s
continuous-integration kubernetes penetration-testing security zap
Last synced: about 1 month ago
JSON representation
Continuous ZAP security tests on K8s.
- Host: GitHub
- URL: https://github.com/lreimer/continuous-zapk8s
- Owner: lreimer
- License: mit
- Created: 2020-11-19T21:41:06.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2021-05-11T14:21:15.000Z (about 5 years ago)
- Last Synced: 2025-03-05T15:02:15.342Z (over 1 year ago)
- Topics: continuous-integration, kubernetes, penetration-testing, security, zap
- Language: TypeScript
- Homepage:
- Size: 103 KB
- Stars: 2
- Watchers: 3
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Continuous ZAP on K8s
Continuous ZAP security tests on Kubernetes. We will run the tests continuously
in headless mode against a demo HTTP endpoint.
## Usage
### Basic Setup
This example deploys a simple microservice in the default K8s namespace. It also
creates a `zap` namespace and deploys the ZED Attach Proxy.
```bash
$ pulumi up
$ k get all -n zap
$ k get all
```
### Using ZAP Web UI
The easiest way is to use the ZAP UI in a Browser. Issue the following commands to get a
Swing UI in your web browser:
```bash
$ export PORT=`kubectl get service zap-gui -n zap -o=json | jq -r '.spec.ports[] | select (.name | test("http")) | .nodePort'`
$ open http://localhost:$PORT/zap
```
### Using ZAP via API
Another option is to use the ZAP API to programmatically connect, scan and attack your application targets:
```bash
$ ./gradlew test
```
### Continuous API Scan
```bash
# https://www.zaproxy.org/docs/docker/api-scan/
$ k describe cronjob.batch/zap-api-scan -n zap
```
## Maintainer
M.-Leander Reimer (@lreimer),
## License
This software is provided under the MIT open source license, read the `LICENSE` file for details.