ZAP Pen Test Job

Overview

Use this document to understand the ZAP penetration testing job executed within the CI/CD pipeline.

The E2E stage includes a “pen test” job that runs an OWASP ZAP scan against the deployed staging environment of your application. This job performs a baseline scan against your application to automatically detect common security problems from a black-box perspective.

Scan results are automatically generated and uploaded to SonarQube under the project: < APP NAME >-staging-dso-mil-zap.

Requirements

Product teams are required to fix all issues greater than Low.

Limitations

Pen Test does not work for cross-IL situations (e.g., code base in IL2, but deploying to IL4).

Any team in this situation needs to run their tests locally, save the results, and provide them to Cyber.

Exceptions

If you believe the findings are invalid or false positives, please comment on the finding in SonarQube with your reasoning and submit a SonarQube/Dependency Check/Pentest Whitelist Request to the Help Desk to have the exception granted.

Party Bus

CollabTools

Getting Started

Certificate to Field

Pipeline Management

Troubleshooting

MDO Announcements

Previous Years Archive

Developer Guides

Databases

Docker

GitLab

Manifests

Product Team Apps

Requests

Requirements

Mattermost

ZAP Pen Test Job

Overview

Requirements

Limitations

Exceptions

ZAP Pen Test Job ​

Overview ​

Requirements ​

Limitations ​

Exceptions ​

ZAP Pen Test Job

Overview

Requirements

Limitations

Exceptions