OWASP Zap (aka Zed Attack Proxy) is a security scanner. It offers to generate a JSON-Report when running a scan, which the Swingletree Zap plugin can consume.
The Swingletree Zap Plugin offers following functionalities:
- Attaches OWASP Zap findings to GitHub Pull Requests by evaluating the Zap scan report.
Processed data is persisted to ElasticSearch (if enabled) and can be processed to reports using Kibana or Grafana.
A Gate webhook is published when the Zap Plugin is enabled. It accepts an OWASP Zap scan report in JSON format as a payload and needs some additional query parameters to link the report to a GitHub pull request:
gate:
plugins:
- id: zap
base: # enter base url of plugin-zap instanceGate publishes an endpoint which is connected to the plugin. You will need to attach information about the target repository using the provided methods of Gate (for example HTTP Headers or query parameters):
POST /report/zap?org=[GitHub Organization]&repo=[Repository name]&sha=[Commit SHA]&branch=[branch]
Swingletree will process the report and send a Check Run Status with the context security/zap to the given GitHub coordinates.