Added default warning config and setup.

drydockcloud · Dec 30, 2019 · 7f31718 · 7f31718
1 parent 7e2067c
commit 7f31718
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,11 @@
 FROM owasp/zap2docker-stable:latest
 
-# Copy in default tests
-COPY tests /zap/wrk
+# Copy in default test configuration
+COPY gen.conf /zap/wrk
 
-CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"]
+# Install default/autotest configuration and mount
+VOLUME ["/src"]
+WORKDIR /src
+COPY pages.txt /src/
+
+CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"]
diff --git a/README.md b/README.md
@@ -1 +1,7 @@
-# ci-zap
+# Docker Image for OWASP ZAP
+
+Learn more about OWASP ZAP:
+ * [OWASP ZAP core documentation](https://github.com/zaproxy/zaproxy)
+ * [Zap Baseline scan options](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan)
+ * [Zap Docker documentation](https://github.com/zaproxy/zaproxy/wiki/Docker)
+
diff --git a/gen.conf b/gen.conf
@@ -0,0 +1,43 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+10016	WARN	(Web Browser XSS Protection Not Enabled)
+10017	IGNORE	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(X-Frame-Options Header Scanner)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Informations in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10032	WARN	(Viewstate Scanner)
+10040	WARN	(Secure Pages Include Mixed Content)
+10055	IGNORE	(CSP Scanner)
+10038	IGNORE	(Content Security Policy (CSP) Header Not Set)
+10105	WARN	(Weak Authentication Method)
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Passive Scanner)
+90033	WARN	(Loosely Scoped Cookie)
+
+# Ignore no-cache header warnings on TLS
+10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+
+# Ignore cached pages that don't initiate a session and don't need CSRF tokens.
+# Commenting them out as they are Drupal-specific, and we want a flag to enable them.
+#10202	OUTOFSCOPE	http://web/
+#10202	OUTOFSCOPE	http://web
+#10202	OUTOFSCOPE	http://web/user/login
+#10202	OUTOFSCOPE	http://web/user/password
+#90022	OUTOFSCOPE	http://web/user/login
+#10016	OUTOFSCOPE	http://web/sitemap.xml
diff --git a/pages.txt b/pages.txt
@@ -0,0 +1 @@
+/