Challenges running "owasp/zap2docker-stable" without docker:dind

2021-02-17 19:35:00

As part of the CDP course we're running unattended ZAP scans as part of integration testing, using the "owasp/zap2docker-stable" Docker container. The course materials tell you to run the CI/CD task using "docker:dind", a Docker-in-Docker solution. For some reason my Docker boxen aren't a fan of that; I'll have to debug that later.

Trying to run the ZAP container with a simple "shell" executor through gitlab-runner led to some fun challenges though! The course material suggests the following Docker run command:

docker run --user $(id -u):$(id -g) -w /zap -v $(pwd):/zap/wrk:rw --rm owasp/zap2docker-stable -t https://target:port -J zap-output.json

To sum it up: start the ZAP container, run the ZAP baseline script using your current UID and GID, mount your local directory as /zap/wrk and then write the results as a JSON file onto the mounted local directory.

This approach fails in two ways if you're not doing the fastest, dirty approach: running as the "root" user account.

Either you use it with "--user $(id -u):$(id -g)" and then you get the error message "Failed to start ZAP :(". Or you run it without that setting, then ZAP runs but it cannot save the output file, with a "permission denied: /zap/wrk/zap-output.json" message.

The issue here is that container has a very limited setup of users (as it should) and your uid+gid are most likely not in there. Under normal conditions, the ZAP scripts inside the container run as "zap:1000:1000" but that user doesn't have write access to your user's directory on the Docker host.

So... If you're running the ZAP container directly on your host and not as DinD, then you'll need to setup a temporary directory and setup write access for either uid:1000 or gid:1000 to it. The latter feels "better" to me. Then we'll end up with this (assuming Gitlab):

    stage: integration
    dependencies: []
    allow_failure: true
        - shell
        - docker pull owasp/zap2docker-stable
        - mkdir output; chgrp -f 1000 output; chmod 770 output; cd output
        - docker run --rm -v $(pwd):/zap/wrk owasp/zap2docker-stable -t http://target:port -J zap-output.json
        paths: [output/zap-output.json]
        when: always tags: , ,

View or add comments (curr. 0)