How to run ZAP Scan to scan another container

Question

I'm a total newbie in DevSecOps. Recently I try to implement DAST in the Gitlab CICD pipeline but somehow ZAP wasn't able to access the host.

For the start, here is my gitlab-ce.yml

services:
    - docker:dind

before_script:
    - docker info

stages:
    - build
    - test


create_docker:
    stage: build
    script:
        # https://community.wia.io/d/15-accessing-the-host-from-inside-a-docker-container
        - docker run --rm -d -t -p 80:80 --network="host" yeasy/simple-web:latest       

DAST_Scan:
    stage: test
    script:
        - docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://$(ip -f inet -o addr show eth0 | awk '{print $4}' | cut -d '/' -f 1):80
    allow_failure: true

I tested the yeasy/simple-web:latest registry and seems that the webserver was running fine. To keep it running, i detached the process as shown on the build stage.

But on Dast scan job, ZAP keep coming up with this error

Status: Downloaded newer image for owasp/zap2docker-weekly:latest
2021-04-22 23:28:32,350 Could not find custom hooks file at /home/zap/.zap_hooks.py 
Apr 22, 2021 11:28:41 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
ERROR [Errno 5] ZAP failed to access: http://172.17.0.3:80
2021-04-22 23:28:47,657 I/O error: [Errno 5] ZAP failed to access: http://172.17.0.3:80
Traceback (most recent call last):
  File "/zap/zap-baseline.py", line 331, in main
    zap_access_target(zap, target)
  File "/zap/zap_common.py", line 104, in _wrap
    return_data = func(*args_list, **kwargs)
  File "/zap/zap_common.py", line 387, in zap_access_target
    raise IOError(errno.EIO, 'ZAP failed to access: {0}'.format(target))
OSError: [Errno 5] ZAP failed to access: http://172.17.0.3:80
Found Java version 11.0.10

What is the correct way to do this kind of scan? how to fix this since im stuck here almost a week now.

Answer 1

We have a FAQ for that :) https://www.zaproxy.org/faq/why-cant-zap-connect-to-my-website/

Basically this is highly unlikely to be a ZAP problem, its much more likely to be a Docker networking issue. You can double check that by using curl as per the FAQ.

The solution? Also in the ZAP docs: https://www.zaproxy.org/docs/docker/about/#scanning-an-app-running-in-another-docker-container