DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • DevOps Service Providers Facilitating ISO 27001 and GDPR Compliance for Organizations
  • Setup Cypress Tests in Azure DevOps Pipeline
  • How DevSecOps Can Combat Zero-Day Threats
  • DevOps Nirvana: Mastering the Azure Pipeline To Unleash Agility

Trending

  • Unmasking Entity-Based Data Masking: Best Practices 2025
  • Apache Doris vs Elasticsearch: An In-Depth Comparative Analysis
  • Solid Testing Strategies for Salesforce Releases
  • Contextual AI Integration for Agile Product Teams
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. How To Run OWASP ZAP Security Tests in Azure DevOps Pipeline

How To Run OWASP ZAP Security Tests in Azure DevOps Pipeline

In this article, learn how configuring OWASP ZAP security tests for webpage UI or API helps to identify the security risks.

By 
Ganesh Hegde user avatar
Ganesh Hegde
DZone Core CORE ·
Updated by 
Manoj Debnath user avatar
Manoj Debnath
·
Updated Mar. 29, 24 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
40.9K Views

Join the DZone community and get the full member experience.

Join For Free

Security testing is an essential part of testing. Every organization wants to do at least basic security testing before releasing the code to production. Security testing is like an ocean; it might be difficult to perform complete security testing without the help of trained professionals. Some of the open-source tools provide automated basic scanning of the website. Once we add it to pipelines like any other test such as smoke or regression, the security tests also can run as part of deployment and report issues.

What Is OWASP ZAP?

ZAP is a popular security testing tool and open source. ZAP tool helps to find the vulnerabilities in the applications or API endpoints. Vulnerabilities include cross-site scripting, SQL injection, broken authentication, sensitive data exposure, broken access control, security misconfiguration, insecure deserialization, etc. 

The beauty of this tool is that it provides both UI and Command Line Interfaces to run the tests. Since it provides a command-line interface we can integrate it as part of our pipeline. The pipeline can be triggered when we release code into production, this helps to find the potential security issues.

What Are We Going To Learn?

  • How to configure and set up OWASP ZAP security test into Azure Release Pipeline
  • How to run OWASP ZAP security tests on websites in Azure DevOps Pipeline using Docker
  • How to perform API security testing using OWASP ZAP security testing tool in Azure DevOps Pipelines with Docker Images
  • How to publish OWASP ZAP security testing results in Azure DevOps Pipeline
  • How to publish OWASP ZAP HTML test results into Azure Artifacts by creating feed and packages
  • How to download artifacts containing OWASP ZAP HTML test results using the Azure CLI tool

What Are the Prerequisites?

Create a Repository

Create a repository inside your organization (preferred), download the file OWASPToNUnit3.xslt, and keep it inside the repository. This file is needed to convert the OWASP ZAP security test result XML file to publish results in Azure DevOps.

Create a Feed Azure DevOps Artifact

This feed is helpful for publishing OWASP ZAP HTML results. The steps are as follows:

Step 1

Navigate to Azure DevOps > Click on Artifacts > Click on Create Feed:Navigating to Azure DevOps > Click on Artifacts > Click on Create Feed

Step 2

In the "Create new feed" form, enter the correct text, and click on Create.Creating new Feed
Note: We will be using the feed name while configuring tasks. You need to choose the same from the drop-down, so note down the feed name.

Step 3

Create a sample package inside the feed using the command line.

Install Azure CLI. After installation, run the command below to create a sample package:

PowerShell
 
az artifacts universal publish - -organization https://dev.azure.com/[Your_Org_Name] --feed SecurityTesting --name security_testing --version 1.0.0 --description "Your description" --path .


Upon completion of Step 3, Navigate to Azure DevOps > Artifact > and select feed as SecurityTesting. You should see the newly created package:

Navigating to newly created package

We have completed all initial setup and prerequisites, and are good to start with pipelines now. Refer to Microsoft Documentation for more details.

How to Configure OWASP ZAP Security Tests in Azure DevOps Pipeline

Let's discuss in detail step by step by setting up OWASP ZAP Security Tests Pipeline using Docker Image.

Step 1: Create a New Release Pipeline

1. Navigate to Azure DevOps > Pipeline > click on Releases.

Creating release pipeline

2. Click on New, and choose New Release Pipeline:

New release pipeline

3. Choose Empty job when the template window prompts:

Template window

4. Name the stage Security Testing (or any other name you wish).

Naming security testing stage

Step 2: Add Artifact to Release Pipeline

  1. Click on Add an artifact.
  2. In the popup window, choose Azure Repository.
  3. Choose your Project.
  4. Choose the Source repository (this is the place where you created the XSLT file in the prerequisite section).
  5. Choose the default branch as master.
  6. Click Add.

Adding artifact to release pipeline

Step 3: Add Tasks to Pipeline

We need to add tasks to the pipeline. In our case, we have created only one stage, which is security testing.

Adding tasks to pipeline

Step 4: Configure Agent Job Details

  1. Display Name: Agent Job or anything you wish
  2. Agent pool: Choose Azure Pipelines.
  3. Agent Specification: Choose any Ubuntu agent from the dropdown.

Configuring agent job details

Step 5: Add Docker Installer Task

In the search box, search for Docker CLI, Add the task, and configure the Docker CLI Task.


Docker Installer Task

Step 6: Add Bash Script Task

Bash Script Task

Step 7: Configure Bash Script Task

  1. Enter display name: Security Test Run
  2. Type: Click on the Inline Radio button.
  3. Script: Copy and paste the below code (don't forget to replace your URL).

Example:

 
chmod -R 777 ./

docker run --rm \
  -v $(pwd):/zap/wrk/:rw \
  -t owasp/zap2docker-stable \
  zap-full-scan.py \
  -t https://dzone.com \
  -g gen.conf \
  -x OWASP-ZAP-Report.xml \
  -r scan-report.html


How To Run OWASP ZAP Security Test for API

The above-mentioned script works well with websites and webpages, but if your requirement is an API, then you need to add different inline scripts. The rest of the things remain the same.

Script for OWASP ZAP API Security Scan

Shell
 
chmod -R 777 ./
docker run — rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t [your-api-url] -f openapi -g api-scan.conf -x OWASP-ZAP-Report.xml -r api-scan-report.html
true


Example:

 
chmod -R 777 ./

docker run --rm \
  -v $(pwd):/zap/wrk/:rw \
  -t owasp/zap2docker-weekly \
  zap-api-scan.py \
  -t https://dzone.com/swagger/v1/swagger.json \
  -f openapi \
  -g api-scan.conf \
  -x OWASP-ZAP-Report.xml \
  -r api-scan-report.html

true


Thanks to sudhinsureshr for this.

Step 8: Add Powershell Task To Convert ZAP XML Report To Azure DevOps NUnit Report Format To Publish Results

  • Add PowerShell task using the add Azure DevOps/add tasks window.

Powershell Task to convert ZAP XML Report to Azure DevOps Nunit Report Format

  • Configure Powershell task. Convert ZAP XML to NUnit XML.
  1. Display Name: Anything you wish
  2. Type: Inline
  3. Script: Inline

Sample Inline Script

Note: This script contains a relative path to the repository and folder. The content of the script may change based on the name you specified in your project.

PowerShell
 
$XslPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/_Quality/SecurityTesting/OWASPToNUnit3.xslt"
$XmlInputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/OWASP-ZAP-Report.xml"
$XmlOutputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)/Converted-OWASP-ZAP-Report.xml"
$XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform
$XslTransform.Load($XslPath)
$XslTransform.Transform($XmlInputPath, $XmlOutputPath)


Configure Powershell Task

Step 9: [Optional] Publish OWASP ZAP Security Testing HTML Results To Azure Artifact

  • Add Universal Package task:

Publish OWASP ZAP Security Testing HTML Results

  • Configure Universal Package task:
  1. Display Name: Anything you wish
  2. Command: Publish (Choose from the dropdown)
  3. Path to Publish: $(System.DefaultWorkingDirectory) or you can choose from the selection panel (…) menu
  4. Feed Location: This organization's collection
  5. Destination Feed: SecurityTesting (This is the one that you created in prerequisite step 2.)
  6. Package Name: security_testing (This is the one that you created in prerequisite step 3.)

Universal Package Task

Step 10: Publish OWASP ZAP Results Into Azure DevOps Pipeline

  1. Add Publish Results task:
  2. OWASP ZAP Results into Azure DevOps Pipeline Configure Publish Results Task
  3. Display Name: Any name
  4. Test Result format: NUnit
  5. Test Result Files: Output file name in Step 8. In our case, it's Converted-OWASP-ZAP-Report.xml.
  6. Search Folder: $(System.DefaultWorkingDirectory) 

After completion of Step 10, trigger Azure OWASP ZAP release. The release starts running and shows the progress in the command line.

Step 11: Viewing OWASP/ZAP Security Testing Results

Once the release is completed, navigate to completed tasks and click on the Publish Test Results task.

Viewing OWASP / ZAP Security Testing Results

The window with the link to the result opens:

Result link window


Once you click the link, you can see the results.

OWASP / ZAP Security Testing Results


Viewing OWASP / ZAP Security Testing Results

Final Thoughts

ZAP is an acronym for Zed Attack Proxy, formerly known as OWASP ZAP. It is primarily used as a web application security scanner. The goal is to find vulnerabilities in an application or API endpoint that are prone to various types of attacks. ZAP is actively maintained by a dedicated team of volunteers and is used extensively by professional penetration testers. As we can see in this article, the detailed configuration steps to set up security testing can be added to the DevOps pipeline just like any other tests, and run as a part of deployment and report issues.

OWASP ZAP security azure Pipeline (software) Testing DevOps Security testing

Opinions expressed by DZone contributors are their own.

Related

  • DevOps Service Providers Facilitating ISO 27001 and GDPR Compliance for Organizations
  • Setup Cypress Tests in Azure DevOps Pipeline
  • How DevSecOps Can Combat Zero-Day Threats
  • DevOps Nirvana: Mastering the Azure Pipeline To Unleash Agility

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!