-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(stoneintg-1118): add guide for rapidast scan I.T.
Signed-off-by: jcullina <[email protected]>
- Loading branch information
Showing
2 changed files
with
60 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
59 changes: 59 additions & 0 deletions
59
docs/modules/ROOT/pages/how-tos/testing/integration/third-parties/rapidast.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| = RapiDAST | ||
|
|
||
| In this guide, you'll learn how to xref:/how-tos/testing/integration/adding.adoc[add a custom integration test] in {ProductName} that uses link:https://github.com/RedHatProductSecurity/rapidast[RapiDAST] as a third-party tool for dynamic application security testing. | ||
|
|
||
| .Prerequisites | ||
|
|
||
| . You have xref:/how-tos/creating.adoc[created an application] in {ProductName} | ||
|
|
||
| . You are familiar with link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#rapidast[RapiDAST documentation] | ||
|
|
||
| . You have chosen a RapiDAST configuration file and are ready, or have the necessary details, to complete one. Refer to the RapiDAST link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#configuration[documentation] for templates and examples. | ||
|
|
||
| . You have selected the scanner you want to use with RapiDAST, ZAP, Nessus or a generic scanner. Refer to the RapiDAST link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#exporting-to-google-cloud-storage[documentation] for available scanners and their configurations. | ||
|
|
||
| . You have access to a git repository containing the link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#an-openapi-schema[OpenAPI] specification of your application or another supported entry point (e.g., endpoints, spiders, etc.). | ||
|
|
||
| . Optional - You have access to link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#exporting-to-google-cloud-storage[Google Cloud Storage] to facilitate export and storage of scan results. | ||
|
|
||
| NOTE: The RapiDAST scan is intended to be used in testing environments, and should not be used on production systems. | ||
|
|
||
| .Procedure | ||
|
|
||
| Review the link:https://github.com/jenculltesting/rh-trex-test/blob/main/.tekton/rapidast-scan.yaml[sample integration test]. | ||
|
|
||
| Examine the following tasks/steps provided in the example. Create a new Tekton pipeline of your own that mimics these steps but is modified to fit the needs of your application. | ||
|
|
||
| . Provision Environment | ||
| + | ||
| - Create an ephemeral environment to deploy the application. | ||
|
|
||
| . Deploy Application (deploy-app) | ||
| + | ||
| - Use the provided SNAPSHOT configuration for deployment. | ||
| - Process deployment manifests (e.g., services, secrets, databases) and apply them to the cluster. | ||
| - Retrieve and note the application’s URL for further testing. | ||
|
|
||
| . Set Up Testing (setup-test) | ||
| + | ||
| - Configure port-forwarding to securely access the deployed application using a sidecar. | ||
| - Authenticate with the application and obtain an authenticated base URL. | ||
| - Prepare the RapiDAST configuration file for scanning. | ||
|
|
||
| . Run RapiDAST Scan (run-rapidast) | ||
| + | ||
| - Run RapiDAST using the dynamically prepared configuration file. | ||
| - Perform API and active scanning (e.g., ZAP) to generate security reports in JSON and HTML formats. | ||
| - Export the results to the `results/` directory for further analysis. Results may be exported to Google Cloud for storage and retrieval. | ||
|
|
||
| .Verification | ||
|
|
||
| When the new build is finished: | ||
|
|
||
| . Go to the *Integration tests* tab and select the highlighted name of your test. | ||
|
|
||
| . Go to the *Pipeline runs* tab of that test and select the most recent run. | ||
|
|
||
| . On the *Details* page, you can see if the test succeeded for that component. Navigate to the other tabs for more details. | ||
|
|
||
| . xref:/how-tos/testing/integration/editing.adoc[Edit the integration test] if it is not properly configured. |