RapiDAST

In this guide, you’ll learn how to add a custom integration test in Konflux that uses RapiDAST as a third-party tool for dynamic application security testing.

Prerequisites

  1. You have created an application in Konflux

  2. You are familiar with RapiDAST documentation

  3. You have chosen a RapiDAST configuration file and are ready, or have the necessary details, to complete one. Refer to the RapiDAST documentation for templates and examples.

  4. You have selected the scanner you want to use with RapiDAST, ZAP, Nessus or a generic scanner. Refer to the RapiDAST documentation for available scanners and their configurations.

  5. You have access to a git repository containing the OpenAPI specification of your application or another supported entry point (e.g., endpoints, spiders, etc.).

  6. Optional - You have access to Google Cloud Storage to facilitate export and storage of scan results.

The RapiDAST scan is intended to be used in testing environments, and should not be used on production systems.
Procedure

Review the sample integration test.

Examine the following tasks/steps provided in the example. Create a new Tekton pipeline of your own that mimics these steps but is modified to fit the needs of your application.

  1. Provision Environment

    • Create an ephemeral environment to deploy the application.

  2. Deploy Application (deploy-app)

    • Use the provided SNAPSHOT configuration for deployment.

    • Process deployment manifests (e.g., services, secrets, databases) and apply them to the cluster.

    • Retrieve and note the application’s URL for further testing.

  3. Set Up Testing (setup-test)

    • Configure port-forwarding to securely access the deployed application using a sidecar.

    • Authenticate with the application and obtain an authenticated base URL.

    • Prepare the RapiDAST configuration file for scanning.

  4. Run RapiDAST Scan (run-rapidast)

    • Run RapiDAST using the dynamically prepared configuration file.

    • Perform API and active scanning (e.g., ZAP) to generate security reports in JSON and HTML formats.

    • Export the results to the results/ directory for further analysis. Results may be exported to Google Cloud for storage and retrieval.

Verification

When the new build is finished:

  1. Go to the Integration tests tab and select the highlighted name of your test.

  2. Go to the Pipeline runs tab of that test and select the most recent run.

  3. On the Details page, you can see if the test succeeded for that component. Navigate to the other tabs for more details.

  4. Edit the integration test if it is not properly configured.