ZAP integration

Traceable provides two options to use ZAP with AST (API security testing). If you already have an existing ZAP setup, you can direct AST to your ZAP setup. Alternatively, Traceable CLI can install ZAP at the runtime before starting the scan. 

ZAP (Zed Attack Proxy) is a popular open-source web application security testing tool. It is designed to help developers and security professionals identify and eliminate security vulnerabilities in web applications during the development and testing phases. ZAP can be used to scan web applications for various security issues such as SQL injection, cross-site scripting (XSS), broken authentication and session management, and more. It includes a wide range of features, including automated scanning, intercepting and modifying HTTP traffic, and support for various scripting languages and APIs. Traceable provides an integration with ZAP using the command-line interface. For more information, see ZAP documentation.

Before you begin

Make a note of the following points before integrating Traceable with ZAP:

• Traceable CLI is supported only on Linux systems.
• If you are planning to integrate Traceable and ZAP using macOS or Windows, use the docker option.

Option 1 – Preconfigured ZAP

You can either use binary CLI or Docker to integrate Traceable with ZAP.

Binary CLI to integrate with ZAP

Complete the following steps to integrate ZAP with Traceable using Python. Before proceeding, make sure that you have a ZAP instance running on your machine.

1. Install the binary CLI. Enter the following command:
   ActionScriptActionScript

   curl -o- https://downloads.traceable.ai/cli/release/latest/install.sh | bash

2. Inside the bash terminal, enter the following command.
   ActionScriptActionScript

   traceable ast scan initAndRun --scan-name ${SCAN_NAME} --policy ${POLICY} 
   --traceable-server=api.traceable.ai:443 --token ${TRACEABLE_TOKEN}
   --zap-apikey ${ZAP_KEY} --zap-apiurl ${ZAP_URL} --zap-fullscan ${ZAP_FULLSCAN} 

Following is an explanation of the command parameters:

• --scan-name – Name of the scan that you wish to provide.
• --policy – Name of the policy. Make sure that the policy is already created through the UI. For more information, see Start API Security Testing.
• --traceable-server – Traceable server to connect to for the scan
• --token – Traceable's API token. On Traceable's platform, navigate to My Preferences → API Tokens.
• --zap-apikey – This is a mandatory parameter. The API key is a unique identifier that is used to authenticate and authorize access to the ZAP API. In the ZAP UI, navigate to Tools → Options → API.
• --zap-apiurl⁣ – This is an optional parameter. The API URL is the endpoint that exposes the ZAP API. The API URL is the web address that you use to access the ZAP API. By default, the ZAP API listens on port 8080 and its default value is http://localhost:8080. Provide this parameter if ZAP instance is running on a different URL.
• --zap-fullscan⁣ – This is an optional parameter. The default value is false. The parameter in the given command indicates that a full scan should be performed using ZAP. When performing a full scan, ZAP will perform a thorough examination of the web application, testing all possible inputs, outputs, and attack vectors. This includes testing for common vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and many others. Full scans take more time to complete than regular or quick scans, as they cover more aspects of the application. However, they provide a much more comprehensive view of the security posture of the application, identifying more vulnerabilities that might be missed in a quick scan.

Docker to integrate with ZAP

Complete the following steps to integrate ZAP with Traceable using Docker. Enter the following commands:

1. Create a container named traceable-data. Enter the following command:
   ActionScriptActionScript

   docker create --name traceable-data traceableai/traceable-cli

2. Make sure that you have a running ZAP instance. The parameters' explanation is same as mentioned in the previous section. The given command runs a Docker container with the binary CLI tool, and then uses it to initiate a security scan on a web application. Enter the following command:
   ActionScriptActionScript

   docker run --rm --volumes-from traceable-data -it traceableai/traceable-cli 
   ast scan initAndRun --scan-name ${SCAN_NAME} --policy ${POLICY} 
   --traceable-server api.traceable.ai --token ${TOKEN}
   --zap-apikey ${ZAP_KEY} --zap-apiurl ${ZAP_URL} --zap-fullscan ${ZAP_FULLSCAN}

Option 2 – Traceable installed ZAP

You can either use the binary CLI or Docker to install ZAP during runtime and run the AST scans.

Binary CLI for runtime ZAP installation

Enter the following command to install ZAP at runtime and start a scan:

traceable ast scan initAndRun --scan-name ${SCAN_NAME} --policy ${POLICY} 
--traceable-server=api.traceable.ai:443 --token ${TRACEABLE_TOKEN}
--zap-apikey ${ZAP_KEY} --zap-apiurl ${ZAP_URL} --zap-fullscan ${ZAP_FULLSCAN}
--start-zapproxy=true

--start-zapproxy=true tells the CLI to install ZAP and run a ZAP instance with the API key that is provided. For other parameter options, see Binary CLI to integrate with ZAP section.

Docker to install ZAP during run time

This option requires a docker-compose file. To access the docker compose file, contact Traceable's support at support@traceable.ai.

Run the following command from inside the directory where you have downloaded the file:

docker-compose up --abort-on-container-exit

The above command creates two docker containers, one with a ZAP instance running in it and the other container running the Traceable CLI.

The above command does the following:

• docker-compose: This command is used to start and manage Docker Compose projects.
• up: This command starts the containers defined in the docker-compose.yml file.
• --abort-on-container-exit: This flag tells Docker Compose to stop all containers and the entire stack if any container exits with a non-zero exit code. This is useful for catching errors during the startup process and preventing the remaining containers from running in a potentially unstable environment.

When you run this command, Docker Compose will start all the containers defined in the docker-compose.yml file. The --abort-on-container-exit flag ensures that the containers are stopped immediately if any of them exit with an error code. This helps to ensure that the rest of the containers are not affected by any errors that may occur during startup.