Last active
January 11, 2019 13:40
-
-
Save Grunny/6ea8d48d711c6ad28064 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM owasp/zap2docker-stable | |
MAINTAINER grunny | |
RUN pip install --upgrade git+https://github.com/Grunny/zap-cli.git | |
RUN chown -R zap /zap/ | |
ENV ZAP_PORT 8080 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# The above Dockerfile can be built with: docker build -t "zap-cli" . | |
# Example of running a self-contained (-sc) quick scan with only XSS scanners, that starts ZAP with the API key disabled | |
$ docker run -u zap -i zap-cli zap-cli quick-scan -sc -o '-config api.disablekey=true' -s xss "http://127.0.0.1/index.php?foo=bar" | |
[INFO] Starting ZAP daemon | |
[INFO] Running a quick scan for http://127.0.0.1/index.php?foo=bar | |
[INFO] Issues found: 1 | |
+----------------------------------+--------+----------+--------------------------------------------------------------------------------+ | |
| Alert | Risk | CWE ID | URL | | |
+==================================+========+==========+================================================================================+ | |
| Cross Site Scripting (Reflected) | High | 79 | http://127.0.0.1/index.php?foo=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E | | |
+----------------------------------+--------+----------+--------------------------------------------------------------------------------+ | |
[INFO] Shutting down ZAP daemon |
Ah! Adding a USER root
before the pip RUN
fixed it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OK, I'm missing something simple here. I've had
RUN
directives in Dockerfiles before, evenRUN
directives that required root privs, but when I try to run this Dockerfile I'm getting this failure (also, the chown fails if I comment out thepip install