Using OWASP ZAP in Argo CD

Using OWASP ZAP in Argo CD

I was introduced to Argo when a platform team within my company started working with it. The switch was made to Argo because Jenkins was not scalable and kept timing out. Argo CD is a declarative and continuous delivery tool for kubernetes. You can read more about Argo here. Argo CD is open source and the infrastructure team was very happy with it’s adaptability. So many teams within my company were on-boarded on to it.

As most teams had transitioned to Argo CD, if I wanted my development teams to start using OWASP ZAP for DAST testing in development/testing environments, I would need to start integrating ZAP into Argo.

As mentioned earlier, Argo is declarative and yaml is used to describe the different steps in the pipeline. “Steps” could be “tasks” in Azure DevOps or “Stages” in Jenkins.

The ZAP team does a great job of creating weekly docker images of the zap proxy to use in CI/CD. Therefore the job was to run the docker image in Argo and publish results. As different members of the team wanted to look at the results of the ZAP run, a python script was written to upload the results to an azure blob.

These are a few steps that I performed in order to run ZAP on Argo

• Fetch code from github for ZAP https://github.com/zaproxy/zaproxy

• Modify the Dockerfile-weekly and added python libs for writing to azure blob

• The docker file was then used to create a docker image that could then be used in Argo https://hub.docker.com/r/priyankaraghavan/zap-weekly-install-azureblob

• In Argo as one knows, steps are created that are based on templates. Below is a code snippet of how to create a step that can run on Argo

• The results produced were uploaded to azure blob by a simple python script.

• The final step was to commit these changes in bit bucket, to trigger Argo. As you can see in the picture below ZAP runs as a part of it.

There you have it, our favourite DAST tool in Argo!

Argo in action