Skip to content

Feature/lab5#1170

Open
Troshkins wants to merge 10 commits into
inno-devops-labs:mainfrom
Troshkins:feature/lab5
Open

Feature/lab5#1170
Troshkins wants to merge 10 commits into
inno-devops-labs:mainfrom
Troshkins:feature/lab5

Conversation

@Troshkins

@Troshkins Troshkins commented Jun 22, 2026

Copy link
Copy Markdown

Goal

Run ZAP baseline and authenticated scans against OWASP Juice Shop, analyze Semgrep findings for the matching v20.0.0 source, and correlate a confirmed SQL Injection finding across both tools.

Changes

  • Added submissions/lab5.md with DAST, SAST, and correlation analysis.
  • Updated labs/lab5/scripts/zap-auth.yaml for the Docker network target and report output paths.
  • Updated labs/lab5/scripts/compare_zap.sh to compare the baseline and authenticated reports passed as arguments.

Testing

  • Started bkimminich/juice-shop:v20.0.0 on the lab5-net Docker network.

  • Ran ZAP baseline scan:

    zap-baseline.py -t http://juice-shop:3000 -r baseline-report.html -J baseline-report.json

    Result: 10 alert types — 0 High, 2 Medium, 5 Low, 3 Informational.

  • Ran authenticated ZAP Automation Framework scan:

    zap.sh -cmd -autorun /zap/wrk/scripts/zap-auth.yaml -port 8090

    Result: 12 alert types — 1 High, 4 Medium, 3 Low, 4 Informational.

  • Compared ZAP reports:

    bash labs/lab5/scripts/compare_zap.sh \
  labs/lab5/results/baseline-report.json \
  labs/lab5/results/auth-report.json

    Result: authenticated/baseline alert-type ratio = 1.20x.

  • Cloned Juice Shop source pinned to v20.0.0 and ran Semgrep:

    semgrep --config=p/owasp-top-ten \
  --config=p/javascript \
  --config=p/secrets \
  labs/lab5/semgrep/juice-shop \
  --json -o labs/lab5/results/semgrep.json \
  --severity ERROR --severity WARNING

    Result: 22 findings — 12 ERROR and 10 WARNING.

  • Confirmed correlation between:

    • ZAP SQL Injection alert at /rest/products/search?q=%27%28
    • Semgrep finding at routes/search.ts:23

Artifacts & Screenshots

  • Scan summaries, severity tables, false-positive review, and the SAST/DAST correlation report are documented in submissions/lab5.md.
  • Raw ZAP and Semgrep outputs were intentionally not committed because they are generated and reproducible.

Checklist

  • Title is clear (feat(lab5): ZAP baseline + auth + Semgrep + correlation)
  • No secrets/large temp files committed
  • Submission file at submissions/lab5.md exists

Troshkins and others added 10 commits June 11, 2026 16:03
@Troshkins
feat(lab1): juice shop deploy + PR template + triage report
48343ae
@Troshkins
docs(lab1): document smoke test run
3322a98
@Troshkins
Merge pull request #1 from Troshkins/feature/lab1
d333bac 
feat(lab1): juice shop deploy + PR template + triage report
@Troshkins
feat(lab2): Threagile threat model secure variant and auth flow
4f69d12
@Troshkins
Merge pull request #2 from Troshkins/feature/lab2
1fb95e8 
feat(lab2): Threagile threat model secure variant and auth flow
@Troshkins
test: first signed commit
b9d281f
@Troshkins
Merge pull request #3 from Troshkins/feature/lab3
6df5eec 
feat(lab3): secure git signing and secret scanning
@Troshkins
feat(lab4): juice-shop SBOM and SCA comparison
be314d3
@Troshkins
Merge pull request #4 from Troshkins/feature/lab4
4951018 
feat(lab4): juice-shop SBOM and SCA comparison
@Troshkins
feat(lab5): ZAP baseline + auth + Semgrep + correlation
eaa187c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Troshkins