This repo sets up a weekly cron job in the GKE AppSec cluster against the list of endpoints downloaded from DefectDojo, then uploads results files to CodeDx. It runs trigger.py on a cron job (currently Sunday mornings at 7am).
Uses ZAP automation to run the scans. Target endpoints are tagged in Defect Dojo with a scan type and this automation scans according to the type tagged.
Download endpoint list in JSON from Defect Dojo:
curl -L -H "accept: application/json" -H "Authorization: Token ${DOJO_TOKEN}" "https://defectdojo.dsp-appsec.broadinstitute.org/api/v2/endpoints?limit=100"This runs the ZAP automation directly, bypassing the wrapper scripts in this repo.
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t ${ENDPOINT}