This post is about OWASP ZAP to your build / release pipeline with Azure DevOps. OWASP ZAP is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
In this post I am creating a build pipeline which is scheduled to run every week. And the pipeline will run OWASP ZAP against the application and generate results. This results will converted to XUnit format XML and displayed as part of test results in the build results.
Here is the screenshot of the DevOps pipeline.
And here is the YAML code.
And here is the test results from the build pipeline.
There is lot options you can configure and control in OWAZP ZAP docker. In this post I am using standard ZAP options. You can do a complete ZAP Scan or Quick scan depends on your project. You can find more details about ZAP docker implementation on GitHub