gh-agentsecops-secopsagentkit/skills/appsec/dast-zap/assets/zap_automation.yaml

# OWASP ZAP Automation Framework Configuration
# Complete automation workflow for web application security testing

env:
  contexts:
    - name: WebApp-Security-Scan
      urls:
        - ${TARGET_URL}
      includePaths:
        - ${TARGET_URL}.*
      excludePaths:
        - .*logout.*
        - .*signout.*
        - .*\\.css
        - .*\\.js
        - .*\\.png
        - .*\\.jpg
        - .*\\.gif
        - .*\\.svg
      authentication:
        method: form
        parameters:
          loginUrl: ${LOGIN_URL}
          loginRequestData: username={%username%}&password={%password%}
        verification:
          method: response
          loggedInRegex: "\\QWelcome\\E"
          loggedOutRegex: "\\QLogin\\E"
      sessionManagement:
        method: cookie
        parameters:
          sessionCookieName: JSESSIONID
      users:
        - name: test-user
          credentials:
            username: ${TEST_USERNAME}
            password: ${TEST_PASSWORD}

  parameters:
    failOnError: true
    failOnWarning: false
    progressToStdout: true

  vars:
    target_url: ${TARGET_URL}
    api_key: ${ZAP_API_KEY}

jobs:
  # Environment setup
  - type: environment
    parameters:
      deleteGlobalAlerts: true
      updateAddOns: true

  # Import OpenAPI specification (if available)
  - type: openapi
    parameters:
      apiFile: ${OPENAPI_SPEC_FILE}
      apiUrl: ${TARGET_URL}
      targetUrl: ${TARGET_URL}
      context: WebApp-Security-Scan
    optional: true

  # Spider crawling
  - type: spider
    parameters:
      context: WebApp-Security-Scan
      user: test-user
      maxDuration: 10
      maxDepth: 5
      maxChildren: 10
      acceptCookies: true
      handleODataParametersVisited: true
      parseComments: true
      parseRobotsTxt: true
      parseSitemapXml: true
      parseSVNEntries: true
      parseGit: true
      postForm: true
      processForm: true
      requestWaitTime: 200

  # AJAX Spider for JavaScript-heavy applications
  - type: spiderAjax
    parameters:
      context: WebApp-Security-Scan
      user: test-user
      maxDuration: 10
      maxCrawlDepth: 5
      numberOfBrowsers: 2
      browserId: firefox-headless
      clickDefaultElems: true
      clickElemsOnce: true
      eventWait: 1000
      reloadWait: 1000
    optional: true

  # Wait for passive scanning to complete
  - type: passiveScan-wait
    parameters:
      maxDuration: 5

  # Configure passive scan rules
  - type: passiveScan-config
    parameters:
      maxAlertsPerRule: 10
      scanOnlyInScope: true
      enableTags: true
      disableRules:
        - 10096  # Timestamp Disclosure (informational)

  # Active scanning
  - type: activeScan
    parameters:
      context: WebApp-Security-Scan
      user: test-user
      policy: Default Policy
      maxRuleDurationInMins: 5
      maxScanDurationInMins: 30
      addQueryParam: false
      defaultPolicy: Default Policy
      delayInMs: 0
      handleAntiCSRFTokens: true
      injectPluginIdInHeader: false
      scanHeadersAllRequests: false
      threadPerHost: 2

  # Wait for active scanning to complete
  - type: activeScan-wait

  # Generate reports
  - type: report
    parameters:
      template: traditional-html
      reportDir: ${REPORT_DIR}
      reportFile: security-report.html
      reportTitle: Web Application Security Assessment
      reportDescription: Automated DAST scan using OWASP ZAP
      displayReport: false

  - type: report
    parameters:
      template: traditional-json
      reportDir: ${REPORT_DIR}
      reportFile: security-report.json
      reportTitle: Web Application Security Assessment

  - type: report
    parameters:
      template: traditional-xml
      reportDir: ${REPORT_DIR}
      reportFile: security-report.xml
      reportTitle: Web Application Security Assessment

  - type: report
    parameters:
      template: sarif-json
      reportDir: ${REPORT_DIR}
      reportFile: security-report.sarif
      reportTitle: Web Application Security Assessment (SARIF)
    optional: true

# Alert filters (false positive suppression)
alertFilters:
  - ruleId: 10021
    newRisk: Info
    url: ".*\\.css|.*\\.js|.*cdn\\..*"
    context: WebApp-Security-Scan

  - ruleId: 10096
    newRisk: Info
    url: ".*api\\..*"
    parameter: "created_at|updated_at|timestamp"
    context: WebApp-Security-Scan

# Scan policies
policies:
  - name: Default Policy
    defaultStrength: Medium
    defaultThreshold: Medium
    rules:
      - id: 40018  # SQL Injection
        strength: High
        threshold: Low
      - id: 40012  # Cross-Site Scripting (Reflected)
        strength: High
        threshold: Low
      - id: 40014  # Cross-Site Scripting (Persistent)
        strength: High
        threshold: Low
      - id: 90019  # Server-Side Code Injection
        strength: High
        threshold: Low
      - id: 90020  # Remote OS Command Injection
        strength: High
        threshold: Low