ZAP
This scanner scans websites for vulnerabilities. It supports both authenticated and unauthenticated scans.
How to use with Smithy
Open-Source
# file: ./my-workflow/workflow.yaml
description: ZAP based workflow
name: zap
components:
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/zaproxy:v1.11.3
- component: ghcr.io/smithy-security/smithy/manifests/components/enrichers/custom-annotation:v0.1.2
- component: ghcr.io/smithy-security/smithy/manifests/components/reporters/json-logger:v1.0.2
- Configure the run parameters of the component in the overrides file
zaproxy:
- name: target
type: string
value: "https://opencre.org/"
- name: scan_duration_mins
type: string
value: "11"
- name: login_url
type: string
value: ""
- name: logout_url
type: string
value: ""
- name: username
type: string
value: ""
- name: password
type: string
value: ""
SaaS
- In the Smithy UI, open the page to create a new workflow.
- Find ZAP in the scanners dropdown.
- [Optional] If you want to do an authenticated scan: Set the url where the login form is and any credentials.
- Set the target domain or base url
Example globas settings if you are using the web app trigger
Login URL: {{ .context.trigger.event.login_path }}
Target: {{ .context.trigger.event.url }}
Username: {{ .context.trigger.auth.username }}
Password: {{ .context.trigger.auth.token }}
Options
You can configure this component with the following options. :
| Option Name | Description | Default | Type |
|---|---|---|---|
| [Required] target | Target to scan | "" | String |
| username | if it's an authenticated scan: the username | "" | String |
| password | if it's an authenticated scan: the password | "" | String |
| login_url | if it's an authenticated scan: the url of the login form | "" | String |