Continuous ZAP security tests on Kubernetes. We will run the tests continuously in headless mode against a demo HTTP endpoint.
This example deploys a simple microservice in the default K8s namespace. It also
creates a zap
namespace and deploys the ZED Attach Proxy.
$ pulumi up
$ k get all -n zap
$ k get all
The easiest way is to use the ZAP UI in a Browser. Issue the following commands to get a Swing UI in your web browser:
$ export PORT=`kubectl get service zap-gui -n zap -o=json | jq -r '.spec.ports[] | select (.name | test("http")) | .nodePort'`
$ open http://localhost:$PORT/zap
Another option is to use the ZAP API to programmatically connect, scan and attack your application targets:
$ ./gradlew test
# https://www.zaproxy.org/docs/docker/api-scan/
$ k describe cronjob.batch/zap-api-scan -n zap
M.-Leander Reimer (@lreimer), mario-leander.reimer@qaware.de
This software is provided under the MIT open source license, read the LICENSE
file for details.