DAST in CI/CD
Vibe Prompt
「幫我在 GitHub Actions 中建立完整的 DAST Pipeline:部署 → ZAP 掃描 → 產生報告 → 中斷或通過。」
完整 Workflow
name: DAST Security Scan
on:
deployment_status:
jobs:
dast:
if: github.event.deployment_status.environment == 'staging' &&
github.event.deployment_status.state == 'success'
runs-on: ubuntu-latest
steps:
- name: OWASP ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: ${{ github.event.deployment_status.environment_url }}
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
fail_action: true
- name: Upload ZAP Report
if: always()
uses: actions/upload-artifact@v4
with:
name: zap-report
path: report.json
- name: Security Check Failed
if: failure()
run: |
echo "❌ 安全掃描發現漏洞,請查看報告"
exit 1
Nuclei 快速掃描
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: ${{ github.event.deployment_status.environment_url }}
severity: high,critical
安全閘門
| 掃描類型 | 通過標準 | |---------|---------| | SAST | 無 Critical/High 漏洞 | | DAST | 無 High 漏洞 | | SCA | 無 Critical 漏洞 | | Container | 無 High 漏洞 | | IaC | 無 Critical 風險 |
所有安全閘門通過後才部署到正式環境
develop → Build → SAST → Test → Deploy Staging → DAST → SCA → Deploy Production
└── 失敗 → 通知開發者修復