DAST 動態分析
Vibe Prompt
「幫我在 CI/CD 中加入 OWASP ZAP 掃描:自動測試 Staging 環境,發現漏洞後中斷 Pipeline。」
ZAP 掃描
- name: OWASP ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: 'https://staging.myapp.com'
cmd_options: '-a -j'
rules_file_name: '.zap/rules.tsv'
allow_issue_writing: true
fail_action: true # 發現高風險漏洞就中斷
在 Staging 自動掃描
name: DAST Pipeline
on:
deployment_status: # 當 Staging 部署完成後
jobs:
dast:
if: github.event.deployment_status.environment == 'staging'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: ${{ github.event.deployment_status.environment_url }}
fail_action: true
- name: Upload Report
uses: actions/upload-artifact@v4
if: failure()
with:
name: zap-report
path: report.json
常用工具
| 工具 | 說明 | |------|------| | OWASP ZAP | 開源 DAST | | Burp Suite | 商業 DAST(專業版) | | Nikto | Web 伺服器掃描 | | Nuclei | 基於模板的快速掃描 | | SQLMap | SQL Injection 自動化 |