Skip to content

e-moreno/dast-orchestrator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.github/workflows
.github/workflows
 
 
api
api
 
 
client
client
 
 
docs
docs
 
 
k8s
k8s
 
 
local
local
 
 
zap
zap
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build-on-digitalocean.sh
build-on-digitalocean.sh
 
 
dast-scanner.yml
dast-scanner.yml
 
 

Repository files navigation

🛡️ DAST Orchestrator

A lightweight Go API that orchestrates dynamic application security testing (DAST) using OWASP ZAP. Designed for seamless CI/CD integration via secure webhooks.

🚀 Quick Start

Docker Compose (Recommended for Testing)

cd local
docker-compose up --build

Access: http://localhost:8080/ping

Kubernetes (Production)

# Update database config in k8s/local/configmap.yaml
cd k8s/local/
./deploy.sh

Access: http://localhost:30080/ping

📡 API Endpoints

Health Check

GET /ping
# Returns: {"api":"ok","zap":"ok","dbro":"ok","dbrw":"ok"}

Start Scan

POST /scan
Headers: X-Signature: <HMAC-SHA256>
Body: {
  "target": "https://example.com",
  "build_id": "abc123",
  "application": "my-app",
  "source": "ci-cd"
}

Check Status

POST /status  
Headers: X-Signature: <HMAC-SHA256>
Body: {"ScanID": "abc123"}
# Returns: {"status": "running", "progress": 67}

Reload Configuration

POST /reload
Headers: X-Signature: <HMAC-SHA256>
Body: {"action": "reload"}
# Returns: {"status": "reloaded", "zap": "http://localhost:8090"}

🏗️ Architecture

┌─────────────────────────────────┐
│        Kubernetes Pod           │
│  ┌─────────────┐ ┌─────────────┐│
│  │  DAST API   │ │ ZAP Scanner ││
│  │   :8080     │◄┤   :8090     ││
│  └─────────────┘ └─────────────┘│
│         │                       │
└─────────┼───────────────────────┘
          │
 ┌────────▼────────┐
 │ Managed Database│
 │ (AWS RDS, DO,   │
 │  Google Cloud)  │
 └─────────────────┘

⚙️ Configuration

🔐 Secure Configuration (Kubernetes)

Sensitive data goes in k8s/secrets.yaml:

# Database passwords, API keys, HMAC secrets
DB_RO_PASSWORD: <base64-encoded-password>
DB_RW_PASSWORD: <base64-encoded-password>  
HMAC_SECRET: <base64-encoded-hex-secret>
ZAP_KEY: <base64-encoded-api-key>

Non-sensitive config goes in k8s/configmap.yaml:

# Database connection details (no passwords)
DB_RO_HOST: "your-db-host.amazonaws.com"
DB_RO_PORT: "3306"
DB_RO_USERNAME: "dast_readonly"
# ZAP configuration
ZAP_HOST: "localhost" 
ZAP_PORT: "8090"

📝 Local Development

Set these environment variables:

Variable Default Description
ZAP_HOST localhost ZAP scanner hostname
ZAP_PORT 8090 ZAP scanner port
ZAP_KEY change-me-9203935709 ZAP API key
HMAC_SECRET Auto-generated Webhook validation key
DB_RO See configmap Read-only database config
DB_RW See configmap Read-write database config

🔍 Vulnerability Scoring

  • Pass: Total vulnerability score < 8
  • Fail: Total vulnerability score ≥ 8
  • Critical vulnerabilities (SQL Injection, RCE): Score 8-20
  • High/Medium vulnerabilities: Score 0-4

✅ CI/CD Integration

# GitHub Actions Example
- name: DAST Scan
  env:
    DAST_HMAC_SECRET: ${{ secrets.DAST_HMAC_SECRET }}
    DAST_API_TARGET: https://my-app.com
    DAST_API_URL: https://my-dast-api.com
  run: python client/client.py

📚 Documentation

🛠️ Requirements

  • Runtime: Go 1.23+, OWASP ZAP 2.14+
  • Local Dev: Docker, Docker Compose
  • Production: Kubernetes cluster, Managed database (MySQL)

📄 License

MIT © 2025 - Built for secure software development.

About

A Golang-based API for orchestrating DAST scans in CI/CD pipelines. Receives HMAC-authenticated webhooks from GitHub, Jenkins, etc., and triggers open source scanners like OWASP ZAP via modular Go packages. Built for secure, automated security testing in DevSecOps workflows.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages