OWASP test in Release Pipeline

In this page we are going to add some tasks in Azure Release pipeline to do the tests.

Prerequisites

There is already a docker image containing  Zap2 files and a Python file called zap-baseline.py to run the process. The image is called owasp/zap2docker-stable requires a shared folder to put the report in it. To mount a file share I use a storage account in azure containing the shared location called security. I generate the Key to access the shared location and start the process.

When process has been completed you need to have a file called OWASPToNUnit3.xslt to convert the report into an NUnit file that can be published as a test result.

OWASP Stage Tasks

There are 3 tasks in this stage:

  1. OWASP in Azure CLI
    which stes up a Container Instance that runs the tests
  2.  Transforming PowerShell Script
    which uses a PowerShell script to transform the result into NUnit
  3. Publish Test Results
    which makes the result visible in the pipeline as Test Results

Stage Tasks Yaml

steps: 
  - task: AzureCLI@2 
    displayName: 'OWASP in Azure CLI ' 
    inputs: 
      azureSubscription: 'Owasp_grp_sp' 
      scriptType: ps 
    scriptLocation: inlineScript 
    inlineScript: | 
    $key='"the-Key-to-Storage-Account-shared-location=="' 
    $ZAP_COMMAND="/zap/zap-baseline.py -t """"https://the-url-to-test.something"""" -x OWASP-ZAP-Report.xml" 

    az container create `
       --resource-group owasp_grp `
       --name owasp ` 
       --image owasp/zap2docker-stable ` 
       --ip-address public `
       --ports 8080 `
       --azure-file-volume-account-name owaspstore1000 `
       --azure-file-volume-account-key $key `
       --azure-file-volume-share-name security `
       --azure-file-volume-mount-path /zap/wrk/ `
       --command-line $ZAP_COMMAND 
    az storage file download `
       --account-name owaspstore1000 `
       --account-key $key `
       -s security `
       -p OWASP-ZAP-Report.xml `
       --dest %SYSTEM_DEFAULTWORKINGDIRECTORY%OWASP-ZAP-Report.xml 
       
  - powershell: | 
     ## The powershell task for converting the test report 
     $XslPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)\_Managed-Security/OWASPToNUnit3.xslt"
     $XmlInputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)\OWASP-ZAP-Report.xml"
     $XmlOutputPath = "$($Env:SYSTEM_DEFAULTWORKINGDIRECTORY)\Converted-OWASP-ZAP-Report.xml"
     $XslTransform = New-Object System.Xml.Xsl.XslCompiledTransform
     $XslTransform.Load($XslPath)
     $XslTransform.Transform($XmlInputPath, $XmlOutputPath)
    displayName: 'Transforming PowerShell Script'


  - task: PublishTestResults@2
    displayName: 'Publish Test Results Converted-OWASP-ZAP-Report.xml'
    inputs:
      testResultsFormat: NUnit
      testResultsFiles: 'Converted-OWASP-ZAP-Report.xml'

 

 

Author: Pouya Panahy

Microsoft certified DevOps engineer with passion in analysing, designing and implementing solutions for Azure Cloud with hands-on experience in security and quality assurence.

Leave a Reply