DAST in CI/CD
Vibe Prompt
「幫我在 GitHub Actions 中建立完整的 DAST Pipeline:部署 → ZAP 掃描 → 產生報告 → 中斷或通過。」
完整 Workflow
name: DAST Security Scan
on:
deployment_status:
jobs:
dast:
if: github.event.deployment_status.environment == 'staging' &&
github.event.deployment_status.state == 'success'
runs-on: ubuntu-latest
steps:
- name: OWASP ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: ${{ github.event.deployment_status.environment_url }}
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
fail_action: true
- name: Upload ZAP Report
if: always()
uses: actions/upload-artifact@v4
with:
name: zap-report
path: report.json
- name: Security Check Failed
if: failure()
run: |
echo "❌ 安全掃描發現漏洞,請查看報告"
exit 1
Nuclei 快速掃描
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: ${{ github.event.deployment_status.environment_url }}
severity: high,critical
安全閘門
| 掃描類型 | 通過標準 | |---------|---------| | SAST | 無 Critical/High 漏洞 | | DAST | 無 High 漏洞 | | SCA | 無 Critical 漏洞 | | Container | 無 High 漏洞 | | IaC | 無 Critical 風險 |
所有安全閘門通過後才部署到正式環境
develop → Build → SAST → Test → Deploy Staging → DAST → SCA → Deploy Production
└── 失敗 → 通知開發者修復
關鍵要點
- ✅ 請根據本章主題補充具體的學習重點
- ✅ 建議加入比較表格、程式碼範例或流程圖
- ✅ 確保內容扎實且有價值
完整 CI/CD 安全 Pipeline
name: Secure CI/CD Pipeline
on: [push, pull_request]
jobs:
saast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: SonarQube Analysis
uses: SonarSource/sonarcloud-github-action@master
sca:
runs-on: ubuntu-latest
steps:
- name: Snyk Security Scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
container-scan:
runs-on: ubuntu-latest
steps:
- name: Build Docker Image
run: docker build -t app:${{ github.sha }} .
- name: Trivy Scan
uses: aquasecurity/trivy-action@master
with:
image-ref: app:${{ github.sha }}
dast:
needs: deploy-staging
runs-on: ubuntu-latest
steps:
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: "https://staging.example.com"
rules_file_name: "zap-rules.tsv"
| 掃描階段 | 工具 | 時機 | 阻擋條件 | |:--------:|:----:|:----:|---------| | SAST | SonarQube | Commit / PR | Quality Gate 未通過 | | SCA | Snyk / Dependabot | Commit / PR | Critical 漏洞未修補 | | Container | Trivy / Docker Scout | Build | 高風險 CVE | | DAST | ZAP | 部屬後 | 高風險漏洞 | | Secret | GitLeaks / TruffleHog | Commit | 密碼外洩 |
在 CI/CD 中執行 DAST 的策略
DAST 和 SAST/SCA 不同——它需要一個正在運行的應用實例才能掃描。這在 CI/CD 流程中需要特別設計。
DAST in CI/CD 的部署策略
| 策略 | 做法 | 優點 | 缺點 | |:----|:----|:----|:----| | Review App | 每個 PR 自動部署一個獨立環境 | 隔離性高 | 需要雲端資源 | | Staging 排程掃描 | 每天定時掃描 Staging 環境 | 簡單、穩定 | 不是每次變更都掃 | | Production 掃描(僅讀取) | 掃描 Production 的唯讀端點 | 最真實 | 風險高 |
GitHub Actions + ZAP 實戰
name: DAST Scan
on:
deployment_status:
types: [success] # 部署成功後觸發
jobs:
dast:
if: github.event.deployment_status.environment == 'staging'
runs-on: ubuntu-latest
steps:
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: ${{ github.event.deployment_status.target_url }}
fail_action: true # 找到高風險漏洞就讓 Pipeline 失敗
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: zap-report
path: report.html
下一章預告:完整安全 Pipeline
SAST、SCA、DAST——你已經學會了所有安全測試工具。下一章將把它們全部串成一個 Pipeline,每個階段都有明確的閘門控制。