Public | Automated Build

Last pushed: a month ago
Short Description
Provide an Image exposing some web app scan in order to use the image as command line tools.
Full Description

Objective

Docker build file providing an image exposing some web app scan in order to use the image as command line tools.

Motivation

Final goal is to use the docker image in order to integrate security web application security scanners into a Continuous Integration Platform.

Note

ZAP has been removed because the project already propose a really good Docker image with CI/CD integration.

Image

Location

A automated build has been defined on Docker forge in order to build and push image in Docker Hub repository

The docker image name is righettod/docker-webappsecscanbox.

Run command example

Call syntax:

mkdir /tmp/reports
docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox [SCANNER_ID] [SCANNER_ARGS]

Note:

  • --mount argument is used to map folder between host and container in order to obtains a location in which results will be wrote by the used scanner and retrievable from the host.
  • Create the folder on the Docker Host before the run the image if it do not exists.

Display help:

docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox

Scan using Nikto

docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox NIK -host [TARGET_URL] \
           -F htm -output /home/auditor/nikto-scan.html

After the scan, the report will be available in the file /tmp/reports/nikto-scan.html on the Docker Host.

Scan using Arachni

# Run the scan
docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox ARS [TARGET_URL] \
           --report-save-path=/home/auditor/arachni_scan.afr
# Generate the report (here in HTML)
docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox ARR /home/auditor/arachni_scan.afr \
           --report=html:outfile=/home/auditor/arachni_scan_result.zip

After the second command, the report will be available in the file /tmp/reports/arachni_scan_result.zip on the Docker Host.

Scan using TestSSL

docker run --mount type=bind,src=/tmp/reports,dst=/home/auditor righettod/webappsecscanbox TLS [TARGET_URL]

After the scan, the report will be available in the file /tmp/reports/testssl_scan.html on the Docker Host.

Docker Pull Command
Owner
righettod