mirrors/digitransit-ui
1
0
Fork 0
mirror of https://github.com/HSLdevcom/digitransit-ui synced 2026-04-27 01:07:49 +02:00
Code Issues Projects Releases Wiki Activity
digitransit-ui/security/zap.yml
Massimo 55ea2e43c1
Add DAST security scan workflow
2026-04-20 09:37:02 +03:00

98 lines
2.4 KiB
YAML
Raw Permalink Blame History

env:
contexts:
- name: zap
urls:
- "${TARGET_URL}"
parameters:
failOnError: true
failOnWarning: false
progressToStdout: false
jobs:
- type: replacer
name: "Inject subscription key"
parameters:
deleteAllRules: false
rules:
- description: "Set subscription key"
matchType: req_header
matchString: "digitransit-subscription-key"
matchRegex: false
replacementString: "${SUBSCRIPTION_KEY}"
- type: alertFilter
name: "Filter out false positives and non-issues"
parameters:
deleteGlobalAlerts: true
alertFilters:
# Not an issue with API
- ruleId: 10021
ruleName: X-Content-Type-Options Header Missing
newRisk: False Positive
# CloudFlare limitation
- ruleId: 10054
ruleName: Cookie Without SameSite Attribute
newRisk: False Positive
parameter: _cfuvid
# CloudFlare limitation
- ruleId: 90033
ruleName: Loosely Scoped Cookie
newRisk: False Positive
# CloudFlare limitation
- ruleId: 10112
ruleName: Session Management Response Identified
newRisk: False Positive
parameter: _cfuvid
# Not actual timestamps
- ruleId: 10096
ruleName: Timestamp Disclosure - Unix
newRisk: False Positive
# Non-issue
- ruleId: 10112
ruleName: Session Management Response Identified
newRisk: False Positive
# Works as intended
- ruleId: 50007
ruleName: GraphQL Circular Type Reference
newRisk: False Positive
# Works as intended
- ruleId: 50007
ruleName: GraphQL Server Implementation Identified
newRisk: False Positive
- type: graphql
name: "GraphQL Spider"
parameters:
endpoint: "${TARGET_URL}"
schemaFile: "/zap/wrk/schema.graphqls"
maxQueryDepth: 1
maxArgsDepth: 1
maxCycleDetectionAlerts: 10
- type: passiveScan-wait
name: "Wait for passive scan to finish"
parameters:
maxDuration: 10
- type: report
parameters:
template: "traditional-html"
reportDir: "/zap/wrk"
reportFile: "zap-report.html"
reportTitle: "ZAP Scan for ${TARGET_URL}"
risks:
- info
- low
- medium
- high
confidences:
- falsepositive
- low
- medium
- high
- confirmed
sections:
- instancecount
- alertdetails
- alertcount
Reference in a new issue View git blame Copy permalink