Klagarge/MSE-CyberSec-DevSecOps
1
0
Fork 0
Code Issues Pull Requests Releases Activity

refactor: removed unused code

Browse Source 
docs: added answer for Q3.4
Signed-off-by: Klagarge <remi@heredero.ch>
This commit is contained in:
Rémi Heredero
2025-04-14 12:58:46 +02:00
parent b170eecb16
commit 355865586f
2 changed files with 15 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/questions-part3.md
View File

@@ -2,7 +2,7 @@
## Part 3
- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/
- **Q3.1**: Setup your CI/CD pipeline with an additional SAST solution. I propose that you use `semgrep` for this task. Get your inspiration here: https://semgrep.dev/for/gitlab and https://docs.gitlab.com/ee/user/application_security/sast/
- **Q3.2**: Describe the found problems (alerts) in the `calculator app` (in the original code, git tag `v3.0`)
- **Q3.3**: Install DAST OWASP ZAP on your host or in a Docker. Play with OWASP ZAP, analyze the calculator code
- **Q3.4**: Implement a DAST solution in your pipeline. Get some inspiration here https://docs.gitlab.com/ee/user/application_security/dast/ . Describe what you have integrated in your pipeline. *Note: you must ensure that your application is running while you are testing!*
@@ -14,7 +14,7 @@
## Q3.2
For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally.
For some reasons, semgrep works locally, but not on GitLab. Here is the report when runned locally.
![SAST-report](figures/SAST-report.png)
@@ -22,4 +22,14 @@ For some reasons, semgrep works locally, but not on GitLab. Here is the report w
After performing a scan, we can see a few alerts as seen on this screenshot :
![alt text](figures/OWASP-ZAP.png)
![alt text](figures/OWASP-ZAP.png)
## Q3.4
The integrate DAST in Github doesn't work on our version, we need the _Ultimate_ version of GitLab selfhosted.
We create a new Docker image for the application. This image auto launch the flask app when the container is started.
We used this image as a service for the DAST stage on our CI.
The stage use zaproxy to test the application. Warning do not return wailure, so the stage pass if no error is found by the OWASP ZAP.
We don't understand why the stage fail when we try to provide the html report as artifact. So if the stage fail, we can see the error in the logs.