Skip to content

Instantly share code, notes, and snippets.

@Grunny

Grunny/Dockerfile-zap-cli

Last active Jan 11, 2019
Embed
What would you like to do?
FROM owasp/zap2docker-stable
MAINTAINER grunny
RUN pip install --upgrade git+https://github.com/Grunny/zap-cli.git
RUN chown -R zap /zap/
ENV ZAP_PORT 8080
# The above Dockerfile can be built with: docker build -t "zap-cli" .
# Example of running a self-contained (-sc) quick scan with only XSS scanners, that starts ZAP with the API key disabled
$ docker run -u zap -i zap-cli zap-cli quick-scan -sc -o '-config api.disablekey=true' -s xss "http://127.0.0.1/index.php?foo=bar"
[INFO] Starting ZAP daemon
[INFO] Running a quick scan for http://127.0.0.1/index.php?foo=bar
[INFO] Issues found: 1
+----------------------------------+--------+----------+--------------------------------------------------------------------------------+
| Alert | Risk | CWE ID | URL |
+==================================+========+==========+================================================================================+
| Cross Site Scripting (Reflected) | High | 79 | http://127.0.0.1/index.php?foo=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E |
+----------------------------------+--------+----------+--------------------------------------------------------------------------------+
[INFO] Shutting down ZAP daemon
@jkugler

This comment has been minimized.

Copy link

@jkugler jkugler commented Apr 17, 2018

OK, I'm missing something simple here. I've had RUN directives in Dockerfiles before, even RUN directives that required root privs, but when I try to run this Dockerfile I'm getting this failure (also, the chown fails if I comment out the pip install

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/pip/basecommand.py", line 215, in main
    status = self.run(options, args)
  File "/usr/local/lib/python2.7/dist-packages/pip/commands/install.py", line 342, in run
    prefix=options.prefix_path,
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_set.py", line 778, in install
    requirement.uninstall(auto_confirm=True)
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_install.py", line 754, in uninstall
    paths_to_remove.remove(auto_confirm)
  File "/usr/local/lib/python2.7/dist-packages/pip/req/req_uninstall.py", line 115, in remove
    renames(path, new_path)
  File "/usr/local/lib/python2.7/dist-packages/pip/utils/__init__.py", line 267, in renames
    shutil.move(old, new)
  File "/usr/lib/python2.7/shutil.py", line 303, in move
    os.unlink(src)
OSError: [Errno 13] Permission denied: '/usr/local/lib/python2.7/dist-packages/python_owasp_zap_v2.4-0.0.12.dist-info/DESCRIPTION.rst'```
@jkugler

This comment has been minimized.

Copy link

@jkugler jkugler commented Apr 17, 2018

Ah! Adding a USER root before the pip RUN fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment