Running DAST in CI/CD for Regression Testing

from zapv2 import ZAPv2
import time

# Configuration
target = 'http://example.com'
api_key = 'your-api-key'
zap_proxy = 'http://127.0.0.1:8080'

# Connect to OWASP ZAP API
zap = ZAPv2(apikey=api_key, proxies={'http': zap_proxy, 'https': zap_proxy})

# Configure Context and Authentication
context_id = zap.context.new_context('exampleContext', apikey=api_key)
zap.context.include_in_context('exampleContext', target + '.*', apikey=api_key)
zap.authentication.set_authentication_method(context_id, 'formBasedAuthentication', 
                                             'loginUrl=' + target + '/login&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D', 
                                             apikey=api_key)
zap.authentication.set_logged_in_indicator(context_id, 'pattern', apikey=api_key)
zap.authentication.set_logged_out_indicator(context_id, 'pattern', apikey=api_key)

# Set up a user
user_id = zap.users.new_user(context_id, 'testUser', apikey=api_key)
zap.users.set_authentication_credentials(context_id, user_id, 'username=test&password=secret', apikey=api_key)
zap.users.set_user_enabled(context_id, user_id, True, apikey=api_key)

# Start Spider and Active Scan
zap.spider.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)
while int(zap.spider.status()) < 100:
    time.sleep(2)
zap.ascan.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)

# This command will trigger a "re-test" scan on the Invicti to ensure that they've been fixed.
kdt scan -p $ProjectName -t invicti –scan-params=type:re-test

Get A Demo

GH Actions changed-files supply chain attack: What happened?

Cenk Kalpakoğlu - 18 Mar 2025

Customizable Roles and Permission in ASPM Platforms

Can Taylan Bilgin - 27 Feb 2025

The Advantage of Using VEX SBOMs

Ben Strozykowski - 18 Feb 2025

Generating build-time SBOMs with CycloneDX and Kondukto

Luis Pereira - 20 Jan 2025

Okta vulnerability explained (bcrypt auth bypass)

Cenk Kalpakoğlu - 05 Nov 2024

eBPF Vulnerabilities: Ecosystem and Security Model

Andreas Wiese - 31 Oct 2024

Ruby affected by CVE-2024-45409

Kondukto Security Team - 09 Oct 2024

Secure CodingAppSec

Linux Kernel effected by CVE-2023-2163

Kondukto Security Team - 04 Oct 2024

ASPMDevSecOps

Empowering Developers in AppSec: Scaling and Metrics

Andreas Wiese - 19 Sep 2024

DevSecOpsAppSecASPM

Protecting APIs of Modern Applications

Kondukto Security Team - 13 Sep 2024

DevSecOpsAppSec

Empowering Developers in AppSec: Triage and Collaboration

Andreas Wiese - 09 Sep 2024

DevSecOpsSecure CodingAppSec

Enhancing Vulnerability Management with Threat Intelligence

Andreas Wiese - 20 Aug 2024

AppSecUnified Vulnerability Management

Enhancing AppSec through Fuzzing in CI/CD Pipelines

Kondukto Security Team - 01 Aug 2024

Secure CodingAppSec

Git SCM affected by CVE-2024-32002

Ali Köse - 20 Jun 2024

Unified Vulnerability ManagementDevSecOps

Bring-Your-Own-Data (BYOD) to the Kondukto Platform

Cenk Kalpakoğlu - 04 Jun 2024

Google Cloud affected by CVE-2021-30476

Kondukto Security Team - 13 May 2024

DevSecOpsUnified Vulnerability Management

kntrl integrates Open Policy Agent

Cenk Kalpakoğlu - 09 May 2024

Supply Chain SecurityDevSecOpskntrl

4 Ways to Improve AppSec Accountability

Andreas Wiese - 02 May 2024

Secure CodingSASTAppSec

Securing CI/CD Runners through eBPF

Cenk Kalpakoğlu - 01 Apr 2024

AppSecSupply Chain Securitykntrl

Introducing kntrl: Enhancing CI/CD Security with eBPF

Cenk Kalpakoğlu - 14 Mar 2024

kntrlSupply Chain SecurityDevSecOps

Supply Chain Security Snags

Andreas Wiese - 07 Mar 2024

Supply Chain SecuritySBOMDevSecOps

Microsoft Azure CLI affected by CVE-2022-39327

Kondukto Security Team - 28 Feb 2024

Unified Vulnerability ManagementAppSecDevSecOps

Splunk Enterprise affected by CVE-2023-40598

Kondukto Security Team - 05 Feb 2024

Unified Vulnerability ManagementAppSecDevSecOps

Why SBOM Matters infographic

Andreas Wiese - 15 Jan 2024

Supply Chain SecuritySBOM

Create SBOM on Gradle with the CycloneDX Plugin

Alperen Örsdemir - 10 Jan 2024

ASPMSupply Chain SecuritySBOM

Enhancing Security with eBPF: Use Cases Explored

Cenk Kalpakoğlu - 28 Dec 2023

DevSecOpsContainer Security

A Look into Modern Security Orchestration

Can Taylan Bilgin - 26 Dec 2023

ASPMAppSecDevSecOps

How Malicious Code Enters Applications

Andreas Wiese - 07 Dec 2023

Supply Chain SecurityAppSecASPM

ASPM and Security Testing Orchestration

Can Taylan Bilgin - 28 Nov 2023

Supply Chain SecuritySASTASPM

Container Security: A Quick Overview

Andreas Wiese - 21 Nov 2023

Container SecurityDevSecOpsAppSec

Unveiling Java Library Vulnerabilities

Alperen Örsdemir - 31 Oct 2023

Supply Chain SecurityAppSec

Get Management Buy-in with AppSec Metrics

Cenk Kalpakoğlu - 17 Oct 2023

Secure CodingDevSecOpsAppSec

How to Streamline Vulnerability Management

Can Taylan Bilgin - 27 Sep 2023

ASPMDevSecOps

AI Remediation: A massive time-saver

Cenk Kalpakoğlu - 07 Sep 2023

Machine LearningSecure CodingAppSec

How to Shift-Left Better with Git Hooks

Cenk Kalpakoğlu - 22 Aug 2023

DevSecOpsAppSec

A Guide to Becoming a Product Security Engineer

Cenk Kalpakoğlu - 10 Jul 2023

AppSec

Top 10 Reasons To Implement An ASPM Right Now!

Can Taylan Bilgin - 30 May 2023

DevSecOpsAppSec

Demo Hub launched for Kondukto Technology Partners

Andreas Wiese - 25 Apr 2023

PartnershipsAppSecASPM

Winning Management Support as an AppSec Leader

Can Taylan Bilgin - 18 Apr 2023

DevSecOpsAppSec

How To Get Developer Buy-In For AppSec Programs

Can Taylan Bilgin - 08 Mar 2023

AppSecDevSecOps

How to integrate continuous API fuzzing into the CI/CD?

Cenk Kalpakoğlu - 17 Jan 2023

DevSecOpsAppSec

OpenAI (ChatGPT) Vulnerability Remediation Concept Work

Suphi Cankurt - 13 Dec 2022

Secure CodingAppSec

OWASP ASVS with your security testing tools

Suphi Cankurt - 28 Nov 2022

ASVSAppSec

Application Security Engineer: Salary, Skills, Requirements

Suphi Cankurt - 10 Oct 2022

AppSec

The Economics of ASPM

Can Taylan Bilgin - 27 Sep 2022

AppSec

Announcing Our Seed Round

Can Taylan Bilgin - 05 Sep 2022

What is Application Security Orchestration and Correlation?

Can Taylan Bilgin - 30 Aug 2022

AppSec

Dockerfile Security Best Practices with Semgrep

Cenk Kalpakoğlu - 25 Aug 2022

5 Essential Skills to Become a DevSecOps Engineer

Barış Ekin Yıldırım - 22 Jul 2022

DevSecOps

3 Ways Using ASVS Can Help Your Organization

Can Taylan Bilgin - 01 Jul 2022

ASVSDevSecOpsAppSec

How to boost SAST performance?

Cenk Kalpakoğlu - 20 Jun 2022

SASTDevSecOpsAppSec

Insecure Deserialization

Barış Ekin Yıldırım - 07 Jun 2022

Secure CodingAppSecInsecure Deserialization

How To Generate and Audit SBOM In a CI/CD Pipeline

Barış Ekin Yıldırım - 20 May 2022

Supply Chain SecurityDevSecOpsSBOM

Software Bill of Materials(SBOM) 101

Barış Ekin Yıldırım - 03 May 2022

Supply Chain SecuritySBOMDevSecOps

5 Common Mistakes in DevSecOps

Cenk Kalpakoğlu - 13 Apr 2022

DevSecOpsAppSec

5 Use Cases of Kondukto CLI in CI/CD pipelines

Can Taylan Bilgin - 24 Jan 2022

DevSecOpsAppSec

Vulnerability Management In Your GitFlow

Can Taylan Bilgin - 16 Sep 2021

Secure CodingAppSec

Security Training for Developers with Avatao

Can Taylan Bilgin - 05 Aug 2021

Secure CodingAppSec

The Essence of DevSecOps: Aligning Multiple Teams

Can Taylan Bilgin - 01 May 2021

DevSecOpsAppSec

How to Get the Most Out of Security Training for Developers

Can Taylan Bilgin - 23 Feb 2021

Secure CodingAppSec

Defensive Programming Tips-2: LDAP Injection

Cenk Kalpakoğlu - 21 Jan 2021

AppSecSecure Coding

4 Key Benefits of Application Security Orchestration

Can Taylan Bilgin - 30 Sep 2020

AppSec

Cybersecurity As a Marketing Activity

Can Taylan Bilgin - 25 Aug 2020

AppSec

Defensive Programming Tips-1: Bad URL Handling Patterns

Cenk Kalpakoğlu - 20 Jul 2020

AppSec

Software Developers : Scapegoats For Security Vulnerabilities

Can Taylan Bilgin - 18 Jun 2020

DevSecOps

5 Circular Phases of Sec in DevSecOps

Can Taylan Bilgin - 26 May 2020

DevSecOps

Keep Applications Secure While Keeping Your Distance

Can Taylan Bilgin - 08 Apr 2020

AppSec

DevOps vs DevSecOps Differences

Can Taylan Bilgin - 20 Feb 2020

DevSecOps

Secure Software Development Life Cycle: Beginners Guide

Can Taylan Bilgin - 23 Jan 2020

DevSecOps

How To Improve AppSec Posture For Starters

Can Taylan Bilgin - 29 Nov 2019

AppSec

Why Care About Application Security At All?

Can Taylan Bilgin - 14 Oct 2019

AppSec

Damage Limitation Strategies for Developers

Cenk Kalpakoğlu - 19 Sep 2019

Secure Coding

Automating Issue Assignment In Vulnerability Management

Kondukto - 01 Jul 2019

AppSec

What Is The Optimal Security Scan Time For My Applications?

Can Taylan Bilgin - 22 May 2019

AppSec

Keep An Eye On Your Remediation Performance

Can Taylan Bilgin - 11 Apr 2019

AppSec

Benefits of Using SAST And DAST In Tandem

Kondukto - 29 Jan 2019

SASTAppSec

Why Should “Heap Inspection” Not Be Marked As False Positive?

Cenk Kalpakoğlu - 09 Nov 2018

Secure CodingAppSec

Beginning AppSec Training Program for Developers

Cenk Kalpakoğlu - 10 Oct 2018

Secure Coding