🔐 ZAP Dynamic Scanning Lab: Automating Security Scans in GitLab CI/CD

As part of my upskilling in secure DevOps, I completed a hands-on lab focused on integrating the ZAP (Zed Attack Proxy) dynamic scanning tool with GitLab CI/CD. The project, called BrokenCrystals, is a vulnerable application designed to simulate real-world security scenarios and help reinforce best practices in automated vulnerability scanning.

🧰 Tools & Technologies Used

• ZAP (Zed Attack Proxy) for Dynamic Application Security Testing (DAST)
• GitLab CI/CD for pipeline automation
• Docker for containerized scanning environments
• YAML & GitLab Web IDE
• OWASP Top 10 Vulnerabilities
• Dynamic Web Application Scanning Techniques

🎯 Project Goals

• Integrate ZAP dynamic scanning with GitLab CI/CD to automatically scan deployed applications
• Identify vulnerabilities like Cross-Site Scripting (XSS), Remote File Inclusion (RFI), and insecure HTTP headers
• Use ZAP's automated scanning and reporting features to reduce manual security testing overhead
• Map vulnerabilities to OWASP Top 10 categories such as A3 (Sensitive Data Exposure) and A7 (Cross-Site Scripting)

🧠 Key Skills Demonstrated

🔎 ZAP Integration in CI/CD

• Created a custom ZAP scan plan in YAML format for automated vulnerability testing
• Configured GitLab CI/CD pipeline to trigger dynamic scans post-deployment to the staging environment
• Used Docker containers to run the ZAP scanning engine in the GitLab pipeline

📊 Vulnerability Discovery & Prioritization

• Discovered XSS vulnerabilities due to lack of proper content security policies (CSP)
• Uncovered Remote File Inclusion (RFI) vulnerability that could be exploited for remote code execution
• Identified missing or misconfigured HTTP security headers, like Content-Security-Policy (CSP) and X-Content-Type-Options

🛠️ Secure Code Remediation

• Reviewed ZAP reports and identified vulnerable areas in the codebase
• Mitigated XSS by adding proper CSP headers to the application’s HTTP responses
• Closed the RFI vulnerability by sanitizing user inputs and preventing the inclusion of external URLs

🔐 Best Practices in Web App Security

• Configured ZAP’s active and passive scan strategies to maximize coverage and minimize false positives
• Used ZAP’s automated reporting to generate actionable insights on security vulnerabilities
• Leveraged GitLab CI/CD to automatically test for vulnerabilities on every deployment to staging

📈 Outcome

• Successfully automated dynamic security testing as part of the CI/CD pipeline
• Discovered and mitigated high-severity vulnerabilities like XSS and RFI
• Improved overall application security posture by implementing best practices like CSP headers
• Verified the effectiveness of security controls through ZAP’s comprehensive scan reports

💡 Takeaways

This exercise reinforced my practical skills in:

• Integrating dynamic application security testing (DAST) tools into CI/CD pipelines
• Automating vulnerability scanning to detect critical issues early in the development lifecycle
• Using ZAP to detect and remediate vulnerabilities in real-world applications
• Leveraging DevSecOps principles to shift security left and automate vulnerability detection

← Back to home