Skip to content

Feed SonarQube with OWASP Zed Attack Proxy (ZAP) reports

License

Notifications You must be signed in to change notification settings

pdsoftplan/sonar-zap

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ZAP SonarQube Plugin

Build Status Coverage Status

Check out the ZAP Maven Plugin

This plugin enables integration between OWASP Zed Attack Proxy (ZAP) analysis results and SonarQube. It receives as input the report generated by ZAP, parses it, and define the values of the following new metrics:

  • ZAP Alerts (with the total number of alerts);
  • ZAP High Alerts;
  • ZAP Medium Alerts;
  • ZAP Low Alerts;
  • ZAP Informational Alerts.

These metrics allow you to follow the security regression of your projects through SonarQube:

ZAP widget

You can also create rules in a Quality Gate to trigger warnings and errors based on the number of identified alerts:

ZAP Quality Gate

Usage

The plugin is compatible with SonarQube 5.1 onwards.

To install and use the plugin, just download the JAR file, copy it to [your-sonarqube-installation]/extensions/plugins, and restart SonarQube.

Click here to download the plugin

If the plugin is successfully installed, it will be present in the SonarQube update center, like in the image below:

ZAP SonarQube Plugin

If the plugin isn't successfully installed, the SonarQube log will probably have details and information regarding the problem. The log can be found at [your-sonarqube-installation]/logs/sonar.log.

Configuration

The plugin accepts only one configuration property that points to the path (absolute or relative) of ZAP's HTML report. Normally, this property should be written in the project's POM file or added to the sonar-project.properties file in case SonarQube Runner is being used:

<!-- The line below should be added within the <properties> tag in the project's POM file -->
<sonar.zap.reportPath>target/zap-reports/zap-report.html</sonar.zap.reportPath>
# Or the same property can be added to the sonar-project.properties file in case SonarQube Runner is being used
sonar.zap.reportPath=target/zap-reports/zap-report.html

However, it's also possible to set the report path globally or locally for any specific project in SonarQube:

ZAP report path

If the report is found at the default path (target/zap-reports/zapReport.html), it is not necessary to define a value for the property.

About

Feed SonarQube with OWASP Zed Attack Proxy (ZAP) reports

Resources

License

Stars

Watchers

Forks

Packages

No packages published