DAST in CI/CD

Vibe Prompt

「幫我在 GitHub Actions 中建立完整的 DAST Pipeline:部署 → ZAP 掃描 → 產生報告 → 中斷或通過。」

完整 Workflow

name: DAST Security Scan

on:
  deployment_status:

jobs:
  dast:
    if: github.event.deployment_status.environment == 'staging' && 
        github.event.deployment_status.state == 'success'
    runs-on: ubuntu-latest
    steps:
      - name: OWASP ZAP Scan
        uses: zaproxy/action-full-scan@v0.10.0
        with:
          target: ${{ github.event.deployment_status.environment_url }}
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
          fail_action: true
      
      - name: Upload ZAP Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: zap-report
          path: report.json
      
      - name: Security Check Failed
        if: failure()
        run: |
          echo "❌ 安全掃描發現漏洞,請查看報告"
          exit 1

Nuclei 快速掃描

- name: Nuclei Scan
  uses: projectdiscovery/nuclei-action@main
  with:
    target: ${{ github.event.deployment_status.environment_url }}
    severity: high,critical

安全閘門

| 掃描類型 | 通過標準 | |---------|---------| | SAST | 無 Critical/High 漏洞 | | DAST | 無 High 漏洞 | | SCA | 無 Critical 漏洞 | | Container | 無 High 漏洞 | | IaC | 無 Critical 風險 |

所有安全閘門通過後才部署到正式環境

develop → Build → SAST → Test → Deploy Staging → DAST → SCA → Deploy Production
                                  └── 失敗 → 通知開發者修復

關鍵要點

  • ✅ 請根據本章主題補充具體的學習重點
  • ✅ 建議加入比較表格、程式碼範例或流程圖
  • ✅ 確保內容扎實且有價值

完整 CI/CD 安全 Pipeline

name: Secure CI/CD Pipeline

on: [push, pull_request]

jobs:
  saast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: SonarQube Analysis
        uses: SonarSource/sonarcloud-github-action@master

  sca:
    runs-on: ubuntu-latest
    steps:
      - name: Snyk Security Scan
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

  container-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Build Docker Image
        run: docker build -t app:${{ github.sha }} .
      - name: Trivy Scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: app:${{ github.sha }}

  dast:
    needs: deploy-staging
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.10.0
        with:
          target: "https://staging.example.com"
          rules_file_name: "zap-rules.tsv"

| 掃描階段 | 工具 | 時機 | 阻擋條件 | |:--------:|:----:|:----:|---------| | SAST | SonarQube | Commit / PR | Quality Gate 未通過 | | SCA | Snyk / Dependabot | Commit / PR | Critical 漏洞未修補 | | Container | Trivy / Docker Scout | Build | 高風險 CVE | | DAST | ZAP | 部屬後 | 高風險漏洞 | | Secret | GitLeaks / TruffleHog | Commit | 密碼外洩 |



在 CI/CD 中執行 DAST 的策略

DAST 和 SAST/SCA 不同——它需要一個正在運行的應用實例才能掃描。這在 CI/CD 流程中需要特別設計。

DAST in CI/CD 的部署策略

| 策略 | 做法 | 優點 | 缺點 | |:----|:----|:----|:----| | Review App | 每個 PR 自動部署一個獨立環境 | 隔離性高 | 需要雲端資源 | | Staging 排程掃描 | 每天定時掃描 Staging 環境 | 簡單、穩定 | 不是每次變更都掃 | | Production 掃描(僅讀取) | 掃描 Production 的唯讀端點 | 最真實 | 風險高 |

GitHub Actions + ZAP 實戰

name: DAST Scan
on:
  deployment_status:
    types: [success]  # 部署成功後觸發

jobs:
  dast:
    if: github.event.deployment_status.environment == 'staging'
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.10.0
        with:
          target: ${{ github.event.deployment_status.target_url }}
          fail_action: true  # 找到高風險漏洞就讓 Pipeline 失敗
      - name: Upload Report
        uses: actions/upload-artifact@v4
        with:
          name: zap-report
          path: report.html

下一章預告:完整安全 Pipeline

SAST、SCA、DAST——你已經學會了所有安全測試工具。下一章將把它們全部串成一個 Pipeline,每個階段都有明確的閘門控制。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!