From 75595820cdb05d4c5824e05fe36d76fae19d0f34 Mon Sep 17 00:00:00 2001 From: jcullina Date: Tue, 28 Jan 2025 09:10:28 +0000 Subject: [PATCH] chore(stoneintg-1118): add guide for rapidast scan I.T. Signed-off-by: jcullina --- docs/modules/ROOT/pages/how-tos/_nav.adoc | 1 + .../integration/third-parties/rapidast.adoc | 59 +++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 docs/modules/ROOT/pages/how-tos/testing/integration/third-parties/rapidast.adoc diff --git a/docs/modules/ROOT/pages/how-tos/_nav.adoc b/docs/modules/ROOT/pages/how-tos/_nav.adoc index 82ccaec9..5a509205 100644 --- a/docs/modules/ROOT/pages/how-tos/_nav.adoc +++ b/docs/modules/ROOT/pages/how-tos/_nav.adoc @@ -29,6 +29,7 @@ **** xref:how-tos/testing/integration/choosing-contexts.adoc[Choosing when to run certain Integration Tests] **** Third Parties ***** xref:how-tos/testing/integration/third-parties/testing-farm.adoc[Testing with Testing Farm] +***** xref:how-tos/testing/integration/third-parties/rapidast.adoc[Testing with RapiDAST] ** xref:how-tos/metadata/index.adoc[Inspecting provenance and attestations] *** xref:how-tos/metadata/sboms.adoc[Inspecting SBOMs] *** xref:how-tos/metadata/attestations.adoc[Inspecting artifact attestations] diff --git a/docs/modules/ROOT/pages/how-tos/testing/integration/third-parties/rapidast.adoc b/docs/modules/ROOT/pages/how-tos/testing/integration/third-parties/rapidast.adoc new file mode 100644 index 00000000..4b750c6f --- /dev/null +++ b/docs/modules/ROOT/pages/how-tos/testing/integration/third-parties/rapidast.adoc @@ -0,0 +1,59 @@ += RapiDAST + +In this guide, you'll learn how to xref:/how-tos/testing/integration/adding.adoc[add a custom integration test] in {ProductName} that uses link:https://github.com/RedHatProductSecurity/rapidast[RapiDAST] as a third-party tool for dynamic application security testing. + +.Prerequisites + +. You have xref:/how-tos/creating.adoc[created an application] in {ProductName} + +. You are familiar with link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#rapidast[RapiDAST documentation] + +. You have chosen a RapiDAST configuration file and are ready, or have the necessary details, to complete one. Refer to the RapiDAST link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#configuration[documentation] for templates and examples. + +. You have selected the scanner you want to use with RapiDAST, ZAP, Nessus or a generic scanner. Refer to the RapiDAST link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#exporting-to-google-cloud-storage[documentation] for available scanners and their configurations. + +. You have access to a git repository containing the link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#an-openapi-schema[OpenAPI] specification of your application or another supported entry point (e.g., endpoints, spiders, etc.). + +. Optional - You have access to link:https://github.com/RedHatProductSecurity/rapidast?tab=readme-ov-file#exporting-to-google-cloud-storage[Google Cloud Storage] to facilitate export and storage of scan results. + +NOTE: The RapiDAST scan is intended to be used in testing environments, and should not be used on production systems. + +.Procedure + +Review the link:https://github.com/jenculltesting/rh-trex-test/blob/main/.tekton/rapidast-scan.yaml[sample integration test]. + +Examine the following tasks/steps provided in the example. Create a new Tekton pipeline of your own that mimics these steps but is modified to fit the needs of your application. + +. Provision Environment ++ +- Create an ephemeral environment to deploy the application. + +. Deploy Application (deploy-app) ++ +- Use the provided SNAPSHOT configuration for deployment. +- Process deployment manifests (e.g., services, secrets, databases) and apply them to the cluster. +- Retrieve and note the application’s URL for further testing. + +. Set Up Testing (setup-test) ++ +- Configure port-forwarding to securely access the deployed application using a sidecar. +- Authenticate with the application and obtain an authenticated base URL. +- Prepare the RapiDAST configuration file for scanning. + +. Run RapiDAST Scan (run-rapidast) ++ +- Run RapiDAST using the dynamically prepared configuration file. +- Perform API and active scanning (e.g., ZAP) to generate security reports in JSON and HTML formats. +- Export the results to the `results/` directory for further analysis. Results may be exported to Google Cloud for storage and retrieval. + +.Verification + +When the new build is finished: + +. Go to the *Integration tests* tab and select the highlighted name of your test. + +. Go to the *Pipeline runs* tab of that test and select the most recent run. + +. On the *Details* page, you can see if the test succeeded for that component. Navigate to the other tabs for more details. + +. xref:/how-tos/testing/integration/editing.adoc[Edit the integration test] if it is not properly configured. \ No newline at end of file