Skip to content
This repository was archived by the owner on Jul 6, 2026. It is now read-only.

Latest commit

 

History

History
65 lines (49 loc) · 1.91 KB

File metadata and controls

65 lines (49 loc) · 1.91 KB

Security scans

This directory holds artifacts from periodic security scans against the Loopless stack.

OWASP ZAP baseline

ZAP baseline is a passive scan: no exploitation, no auth-bypass attempts. Safe to run against any environment.

Run locally

# Start the full stack
docker compose --profile core --profile observability up -d

# Wait for backend health
until curl -sf http://localhost:8081/health/ready; do sleep 2; done

# Run ZAP against the API
docker run --rm --network host \
  -v "$(pwd)/devops/security:/zap/wrk" \
  -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t http://localhost:8081 \
  -r zap-baseline-report.html \
  -J zap-baseline-report.json \
  -w zap-baseline-warnings.md \
  -m 5 \
  -a

# Run ZAP against the frontend (proxy via nginx)
docker run --rm --network host \
  -v "$(pwd)/devops/security:/zap/wrk" \
  -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t http://localhost \
  -r zap-frontend-report.html \
  -J zap-frontend-report.json \
  -m 5 \
  -a

Reports land in devops/security/. Commit them after triaging findings.

Triage workflow

  1. Open zap-baseline-report.html in a browser
  2. For each High/Medium finding:
    • Verify it is reachable on the listed endpoint
    • Open a fix/security-XXXX branch with the patch
    • Update docs/security-audit.md with the finding + resolution
  3. Re-run the scan after fixes land

CI integration

Weekly cron via .github/workflows/security-scan.yml:

  • Runs every Monday 03:00 UTC
  • Spins up the compose stack
  • Runs ZAP baseline
  • Uploads report as workflow artifact
  • Opens an issue if WARN-NEW or FAIL-NEW count >0

Notes

  • ZAP active scan (zap-full-scan.py) is more aggressive and may trigger rate limiting. Do not run against production without prior coordination.
  • Findings are scored against OWASP Top 10 2021.
  • Baseline reports are committed (no secrets in scan output); active reports are gitignored.