From 7f317182a04dcad8d36557e3b70cb10abdc82000 Mon Sep 17 00:00:00 2001
From: Sam Lerner <sam.lerner@civicactions.com>
Date: Mon, 30 Dec 2019 16:22:34 -0500
Subject: [PATCH] Added default warning config and setup.

---
 Dockerfile | 11 ++++++++---
 README.md  |  8 +++++++-
 gen.conf   | 43 +++++++++++++++++++++++++++++++++++++++++++
 pages.txt  |  1 +
 4 files changed, 59 insertions(+), 4 deletions(-)
 create mode 100644 gen.conf
 create mode 100644 pages.txt

diff --git a/Dockerfile b/Dockerfile
index 7e9b33c..c9a7c7e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,11 @@
 FROM owasp/zap2docker-stable:latest
 
-# Copy in default tests
-COPY tests /zap/wrk
+# Copy in default test configuration
+COPY gen.conf /zap/wrk
 
-CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"]
\ No newline at end of file
+# Install default/autotest configuration and mount
+VOLUME ["/src"]
+WORKDIR /src
+COPY pages.txt /src/
+
+CMD ["zap-baseline.py", "-d", "-r", "zap.html", "-t", "http://web"]
diff --git a/README.md b/README.md
index 34538b7..05d2ce8 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,7 @@
-# ci-zap
\ No newline at end of file
+# Docker Image for OWASP ZAP
+
+Learn more about OWASP ZAP:
+ * [OWASP ZAP core documentation](https://github.com/zaproxy/zaproxy)
+ * [Zap Baseline scan options](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan)
+ * [Zap Docker documentation](https://github.com/zaproxy/zaproxy/wiki/Docker)
+
diff --git a/gen.conf b/gen.conf
new file mode 100644
index 0000000..70351b1
--- /dev/null
+++ b/gen.conf
@@ -0,0 +1,43 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+10016	WARN	(Web Browser XSS Protection Not Enabled)
+10017	IGNORE	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(X-Frame-Options Header Scanner)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Informations in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10032	WARN	(Viewstate Scanner)
+10040	WARN	(Secure Pages Include Mixed Content)
+10055	IGNORE	(CSP Scanner)
+10038	IGNORE	(Content Security Policy (CSP) Header Not Set)
+10105	WARN	(Weak Authentication Method)
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Passive Scanner)
+90033	WARN	(Loosely Scoped Cookie)
+
+# Ignore no-cache header warnings on TLS
+10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+
+# Ignore cached pages that don't initiate a session and don't need CSRF tokens.
+# Commenting them out as they are Drupal-specific, and we want a flag to enable them.
+#10202	OUTOFSCOPE	http://web/
+#10202	OUTOFSCOPE	http://web
+#10202	OUTOFSCOPE	http://web/user/login
+#10202	OUTOFSCOPE	http://web/user/password
+#90022	OUTOFSCOPE	http://web/user/login
+#10016	OUTOFSCOPE	http://web/sitemap.xml
diff --git a/pages.txt b/pages.txt
new file mode 100644
index 0000000..b498fd4
--- /dev/null
+++ b/pages.txt
@@ -0,0 +1 @@
+/