Instantly share code, notes, and snippets.

Embed
What would you like to do?
FROM owasp/zap2docker-stable
MAINTAINER grunny
RUN pip install --upgrade git+https://github.com/Grunny/zap-cli.git
RUN chown -R zap /zap/
ENV ZAP_PORT 8080
# The above Dockerfile can be built with: docker build -t "zap-cli" .
# Example of running a self-contained (-sc) quick scan with only XSS scanners, that starts ZAP with the API key disabled
$ docker run -u zap -i zap-cli zap-cli quick-scan -sc -o '-config api.disablekey=true' -s xss "http://127.0.0.1/index.php?foo=bar"
[INFO] Starting ZAP daemon
[INFO] Running a quick scan for http://127.0.0.1/index.php?foo=bar
[INFO] Issues found: 1
+----------------------------------+--------+----------+--------------------------------------------------------------------------------+
| Alert | Risk | CWE ID | URL |
+==================================+========+==========+================================================================================+
| Cross Site Scripting (Reflected) | High | 79 | http://127.0.0.1/index.php?foo=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E |
+----------------------------------+--------+----------+--------------------------------------------------------------------------------+
[INFO] Shutting down ZAP daemon
@jkugler

This comment has been minimized.

jkugler commented Apr 17, 2018

OK, I'm missing something simple here. I've had RUN directives in Dockerfiles before, even RUN directives that required root privs, but when I try to run this Dockerfile I'm getting this failure (also, the chown fails if I comment out the pip install

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/usr/local/lib/python2.7/dist-packages/pip/commands/install.py", line 342, in run
    prefix=options.prefix_path,
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_set.py", line 778, in install
    requirement.uninstall(auto_confirm=True)
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_install.py", line 754, in uninstall
    paths_to_remove.remove(auto_confirm)
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_uninstall.py", line 115, in remove
    renames(path, new_path)
  File "/usr/local/lib/python2.7/dist-packages/pip/utils/__init__.py", line 267, in renames
    shutil.move(old, new)
  File "/usr/lib/python2.7/shutil.py", line 303, in move
    os.unlink(src)
OSError: [Errno 13] Permission denied: '/usr/local/lib/python2.7/dist-packages/python_owasp_zap_v2.4-0.0.12.dist-info/DESCRIPTION.rst'```
@jkugler

This comment has been minimized.

jkugler commented Apr 17, 2018

Ah! Adding a USER root before the pip RUN fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment