0

Trying to run OWASP ZAP Docker Build in the headless mode described here:

docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080

But can't figure out how to adapt that to a gitlab-ci.yaml. On gitlab 9.4 and think a service command should do it, but haven't got it to work. Tried:

security_test:
  image: python:2.7
  stage: test
  services:
  - name: owasp/zap2docker-stable
    alias: zap
    command: ["docker run -u zap -p 8080:8080 -i owasp_zap zap.sh -port 8080 -host 0.0.0.0 -config api.key=$ZAP_API_KEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE"]
  script:
    - export PYTHONPATH=$PWD/backend/lib:$PYTHONPATH
    - pip install -r qa/security/requirements.txt
    - BASE_URL="https://example.com" ZAP="http://owasp__zap2docker-stable:8080" ZAP_API_KEY=$ZAP_API_KEY python qa/security/zap_scanner.py

This gets this error:

 ERROR: Preparation failed: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"exec: \\\"docker run -u zap -p 8080:8080 -i owasp_zap zap.sh -port 8080 -host 0.0.0.0 -config api.key=$ZAP_API_KEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE\\\": executable file not found in $PATH\"\n"
 ...

Also ran docker inspect on it running locally and it shows the past as 

"env": [
    ...
    "ZAP_PATH=/zap/zap.sh",
    ...

So I changed command to

    command: ["zap.sh -port 8080 -host 0.0.0.0 -config api.key=$ZAP_API_KEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE"]

But still get the error:

ERROR: Preparation failed: Error response from daemon: invalid header field value "oci runtime error: container_linux.go:247: starting container process caused \"exec: \\\"/zap/zap zap.sh -port 8080 -host 0.0.0.0 -config api.key=$ZAP_API_KEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE\\\": stat /zap/zap zap.sh -port 8080 -host 0.0.0.0 -config api.key=$ZAP_API_KEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE: no such file or directory\"\n"
...

This seems to be the install file. I'm trying to use custom setting and an api key so not looking for answers like just use default settings or zap baseline.

Cynic
  • 6,779
  • 2
  • 30
  • 49

1 Answers1

0

Change the command 

command: ["zap.sh -port 8080 -host 0.0.0.0 -config api.key=$ZAP_API_KEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE"]

to

command: zap.sh -port 8080 -host 0.0.0.0 -config api.key=$ZAP_API_KEY -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE

Having a array means that each command parameter needs to be separate elements of array and not like you mentioned everything in first element of the array

Tarun Lalwani
  • 142,312
  • 9
  • 204
  • 265
  • If I do that it doesn't build due to a "yaml invalid" error. The linter at ci/lint says: "Status: syntax is incorrect Error: service command should be an array of strings" – Cynic Jul 27 '17 at 20:05
  • To be clear, the issue is in Gitlab, not docker. Locally docker-compose works launching with a command like that. – Cynic Jul 27 '17 at 20:17
  • OK. Will look into the issue again tonight – Tarun Lalwani Jul 28 '17 at 04:26