DAST in CI/CD

Vibe Prompt

「幫我在 GitHub Actions 中建立完整的 DAST Pipeline:部署 → ZAP 掃描 → 產生報告 → 中斷或通過。」

完整 Workflow

name: DAST Security Scan

on:
  deployment_status:

jobs:
  dast:
    if: github.event.deployment_status.environment == 'staging' && 
        github.event.deployment_status.state == 'success'
    runs-on: ubuntu-latest
    steps:
      - name: OWASP ZAP Scan
        uses: zaproxy/action-full-scan@v0.10.0
        with:
          target: ${{ github.event.deployment_status.environment_url }}
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
          fail_action: true
      
      - name: Upload ZAP Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: zap-report
          path: report.json
      
      - name: Security Check Failed
        if: failure()
        run: |
          echo "❌ 安全掃描發現漏洞,請查看報告"
          exit 1

Nuclei 快速掃描

- name: Nuclei Scan
  uses: projectdiscovery/nuclei-action@main
  with:
    target: ${{ github.event.deployment_status.environment_url }}
    severity: high,critical

安全閘門

| 掃描類型 | 通過標準 | |---------|---------| | SAST | 無 Critical/High 漏洞 | | DAST | 無 High 漏洞 | | SCA | 無 Critical 漏洞 | | Container | 無 High 漏洞 | | IaC | 無 Critical 風險 |

所有安全閘門通過後才部署到正式環境

develop → Build → SAST → Test → Deploy Staging → DAST → SCA → Deploy Production
                                  └── 失敗 → 通知開發者修復

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!