diff --git a/.github/workflows/build_push_dev.yml b/.github/workflows/build_push_dev.yml index d32bf1a..8b186cc 100644 --- a/.github/workflows/build_push_dev.yml +++ b/.github/workflows/build_push_dev.yml @@ -32,7 +32,7 @@ jobs: push: true tags: maibornwolff/secobserve-scanners:dev - - name: Build and push OWASP ZAP + name: Build and push ZAP uses: docker/build-push-action@v5 with: context: . diff --git a/.github/workflows/build_push_latest.yml b/.github/workflows/build_push_latest.yml index d5bd832..6cd0934 100644 --- a/.github/workflows/build_push_latest.yml +++ b/.github/workflows/build_push_latest.yml @@ -43,7 +43,7 @@ jobs: build-args: VERSION=${{ github.event.inputs.release }} - - name: Build and push OWASP ZAP + name: Build and push ZAP uses: docker/build-push-action@v5 with: context: . diff --git a/README.md b/README.md index 35b6918..dcda40d 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ It consists of 2 major components: | [Gitleaks](https://gitleaks.io) | `actions/secrets/gitleaks` | `templates/secrets/gitleaks.yml` | [MIT](https://github.com/gitleaks/gitleaks/blob/master/LICENSE) | | [CryptoLyzer](https://gitlab.com/coroner/cryptolyzer) | `actions/DAST/cryptolyzer` | `templates/DAST/cryptolyzer.yml` | [MPL 2.0](https://gitlab.com/coroner/cryptolyzer/-/blob/master/LICENSE.txt) | | [DrHeader](https://github.com/Santandersecurityresearch/DrHeader) | `actions/DAST/drheader` | `templates/DAST/drheader.yml` | [MIT](https://github.com/Santandersecurityresearch/DrHeader/blob/master/LICENSE) | -| [OWASP ZAP](https://github.com/zaproxy/zaproxy) | `actions/DAST/owasp_zap` | `templates/DAST/owasp_zap.yml` | [Apache 2.0](https://github.com/zaproxy/zaproxy/blob/main/LICENSE) | +| [ZAP](https://github.com/zaproxy/zaproxy) | `actions/DAST/zap` | `templates/DAST/zap.yml` | [Apache 2.0](https://github.com/zaproxy/zaproxy/blob/main/LICENSE) | All GitHub actions and GitLab CI templates use a pre-built Docker image that contains all scanners and the SecObserve importer. diff --git a/actions/DAST/owasp_zap/action.yaml b/actions/DAST/zap/action.yaml similarity index 93% rename from actions/DAST/owasp_zap/action.yaml rename to actions/DAST/zap/action.yaml index d8901f9..671b69c 100644 --- a/actions/DAST/owasp_zap/action.yaml +++ b/actions/DAST/zap/action.yaml @@ -1,5 +1,5 @@ -name: 'SecObserve OWASP ZAP' -description: 'Scans web sites and APIs with OWASP ZAP' +name: 'SecObserve ZAP' +description: 'Scans web sites and APIs with ZAP' author: 'MaibornWolff' inputs: @@ -44,7 +44,7 @@ inputs: runs: using: 'docker' image: 'docker://maibornwolff/secobserve-scanners-zap:latest' - entrypoint: '/entrypoints/entrypoint_owasp_zap.sh' + entrypoint: '/entrypoints/entrypoint_zap.sh' env: TARGET: ${{ inputs.target }} REPORT_NAME: ${{ inputs.report_name }} diff --git a/dev/actions/DAST/owasp_zap/action.yaml b/dev/actions/DAST/zap/action.yaml similarity index 93% rename from dev/actions/DAST/owasp_zap/action.yaml rename to dev/actions/DAST/zap/action.yaml index d8901f9..671b69c 100644 --- a/dev/actions/DAST/owasp_zap/action.yaml +++ b/dev/actions/DAST/zap/action.yaml @@ -1,5 +1,5 @@ -name: 'SecObserve OWASP ZAP' -description: 'Scans web sites and APIs with OWASP ZAP' +name: 'SecObserve ZAP' +description: 'Scans web sites and APIs with ZAP' author: 'MaibornWolff' inputs: @@ -44,7 +44,7 @@ inputs: runs: using: 'docker' image: 'docker://maibornwolff/secobserve-scanners-zap:latest' - entrypoint: '/entrypoints/entrypoint_owasp_zap.sh' + entrypoint: '/entrypoints/entrypoint_zap.sh' env: TARGET: ${{ inputs.target }} REPORT_NAME: ${{ inputs.report_name }} diff --git a/dev/templates/DAST/owasp_zap.yml b/dev/templates/DAST/zap.yml similarity index 85% rename from dev/templates/DAST/owasp_zap.yml rename to dev/templates/DAST/zap.yml index 9031dfb..094742a 100644 --- a/dev/templates/DAST/owasp_zap.yml +++ b/dev/templates/DAST/zap.yml @@ -1,4 +1,4 @@ -.owasp_zap: +.zap: image: name: maibornwolff/secobserve-scanners-zap:dev stage: post_deploy @@ -8,7 +8,7 @@ SCRIPT: "zap-baseline.py" SO_UPLOAD: "true" script: - - /entrypoints/entrypoint_owasp_zap.sh + - /entrypoints/entrypoint_zap.sh interruptible: true allow_failure: true artifacts: diff --git a/docker/Dockerfile b/docker/Dockerfile index c1251a0..92d36e3 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,5 @@ # Python build stage -FROM python:3.11.5-alpine as python-build-stage +FROM python:3.12.1-alpine as python-build-stage # Install gcc to be able to compile wheels for python packages RUN apk add --no-cache gcc musl-dev python3-dev @@ -22,12 +22,12 @@ RUN wget --no-verbose https://github.com/Checkmarx/kics/archive/refs/tags/v${KIC && go build -o ./bin/kics cmd/console/main.go # Python run stage -FROM python:3.11.5-alpine as python-run-stage +FROM python:3.12.1-alpine as python-run-stage ARG GITLEAKS_VERSION=8.18.1 -ARG GRYPE_VERSION=0.73.4 +ARG GRYPE_VERSION=0.73.5 ARG KICS_VERSION=1.7.12 -ARG TRIVY_VERSION=0.48.1 +ARG TRIVY_VERSION=0.48.2 ARG TFSEC_VERSION=1.28.4 # Install openssl-dev because libcrypto is needed for CryptoLyzer @@ -41,7 +41,7 @@ RUN pip install --no-cache-dir --no-index --find-links=/wheels/ /wheels/* \ && rm -rf /wheels/ && rm -rf /tmp # Hack because Python's find_library doesn't work on Alpine -RUN sed -i -e "s|get_library('crypto', 'libcrypto\.dylib', '42')|'/usr/lib/libcrypto\.so'|g" /usr/local/lib/python3.11/site-packages/oscrypto/_openssl/_libcrypto_cffi.py +RUN sed -i -e "s|get_library('crypto', 'libcrypto\.dylib', '42')|'/usr/lib/libcrypto\.so'|g" /usr/local/lib/python3.12/site-packages/oscrypto/_openssl/_libcrypto_cffi.py # copy and install precompiled DrHeader library and rules COPY docker/drheader/drheader-1.7.0-py2.py3-none-any.whl docker/drheader/rules.yml ./ diff --git a/docker/requirements.txt b/docker/requirements.txt index bf5b16b..19f1186 100644 --- a/docker/requirements.txt +++ b/docker/requirements.txt @@ -5,11 +5,11 @@ bandit-sarif-formatter==1.1.1 # https://github.com/microsoft/bandit-sarif-forma # Checkov # ---------------------------------------------------------------- -checkov==3.1.40 # https://github.com/bridgecrewio/checkov +checkov==3.1.53 # https://github.com/bridgecrewio/checkov # Semgrep # ---------------------------------------------------------------- -semgrep==1.54.1 # https://github.com/returntocorp/semgrep +semgrep==1.55.1 # https://github.com/returntocorp/semgrep # CryptoLyzer # ---------------------------------------------------------------- diff --git a/docker_zap/Dockerfile b/docker_zap/Dockerfile index 1660e97..61beca8 100644 --- a/docker_zap/Dockerfile +++ b/docker_zap/Dockerfile @@ -1,5 +1,5 @@ # Python run stage -FROM owasp/zap2docker-stable:2.14.0 +FROM softwaresecurityproject/zap-stable:2.14.0 # Install importer COPY importer/ /usr/local/importer/ diff --git a/docker_zap/entrypoints/entrypoint_owasp_zap.sh b/docker_zap/entrypoints/entrypoint_zap.sh similarity index 93% rename from docker_zap/entrypoints/entrypoint_owasp_zap.sh rename to docker_zap/entrypoints/entrypoint_zap.sh index aca322b..504a052 100755 --- a/docker_zap/entrypoints/entrypoint_owasp_zap.sh +++ b/docker_zap/entrypoints/entrypoint_zap.sh @@ -12,10 +12,10 @@ else fi export SO_FILE_NAME="${REPORT_NAME}" -export SO_PARSER_NAME="OWASP ZAP" +export SO_PARSER_NAME="ZAP" echo ---------------------------------------- -echo OWASP ZAP +echo ZAP echo - TARGET: "$TARGET" echo - REPORT_NAME: "$REPORT_NAME" echo - SCRIPT: "$SCRIPT" diff --git a/templates/DAST/owasp_zap.yml b/templates/DAST/zap.yml similarity index 85% rename from templates/DAST/owasp_zap.yml rename to templates/DAST/zap.yml index 98035bd..e712074 100644 --- a/templates/DAST/owasp_zap.yml +++ b/templates/DAST/zap.yml @@ -1,4 +1,4 @@ -.owasp_zap: +.zap: image: name: maibornwolff/secobserve-scanners-zap:latest stage: post_deploy @@ -8,7 +8,7 @@ SCRIPT: "zap-baseline.py" SO_UPLOAD: "true" script: - - /entrypoints/entrypoint_owasp_zap.sh + - /entrypoints/entrypoint_zap.sh interruptible: true allow_failure: true artifacts: