ZAP Pen Test Job

The E2E stage of the pipeline has a job called "pen test". This job executes a ZAP pen test against the deployed staging environment of your application. We run a baseline scan against your application to automatically detect common security problems from black-box perspective. ZAP pen test reports are uploaded to SonarQube project named < APP NAME >-staging-dso-mil-zap.

Limitations

Pen Test does not work for cross-IL situations (e.g., code base in IL2, but deploying to IL4). Any team in this situation needs to run their tests locally, save the results, and provide them to Cyber.

Requirements

We require development teams to fix all issues greater than Low.

Exceptions

If you believe the findings are invalid or false-positives, please comment on the finding in SonarQube with your reasoning and then create a help desk ticket to have the exception granted: SonarQube/Fortify Whitelist Request

About us

Getting Started

Certificate to Field

Knowledge Base

Keycloak User Guides

Troubleshooting

Developer Guides

Databases

Docker

GitLab

Manifests

Product Team Apps

Requests

Requirements

Mattermost

Parabol

ZAP Pen Test Job

Limitations

Requirements

Exceptions

Getting Started

Keycloak User Guides

ZAP Pen Test Job ​

Limitations ​

Requirements ​

Exceptions ​

ZAP Pen Test Job

Limitations

Requirements

Exceptions