@synapta/skills 0.1.1 → 0.2.0

package/skills/dast-zap/assets/gitlab_ci.yml

@@ -0,0 +1,226 @@
+# GitLab CI/CD Pipeline for OWASP ZAP Security Scanning
+# Add this to your .gitlab-ci.yml file
+
+stages:
+  - security
+  - report
+
+variables:
+  ZAP_IMAGE: "zaproxy/zap-stable:latest"
+  STAGING_URL: "https://staging.example.com"
+  REPORTS_DIR: "security-reports"
+
+# Baseline scan for all merge requests
+zap_baseline_scan:
+  stage: security
+  image: docker:latest
+  services:
+    - docker:dind
+  script:
+    - mkdir -p $REPORTS_DIR
+    - |
+      docker run --rm \
+        -v $(pwd)/$REPORTS_DIR:/zap/wrk/:rw \
+        $ZAP_IMAGE \
+        zap-baseline.py \
+        -t $STAGING_URL \
+        -r /zap/wrk/baseline-report.html \
+        -J /zap/wrk/baseline-report.json \
+        -w /zap/wrk/baseline-report.md \
+        || true
+    - echo "Baseline scan completed"
+  artifacts:
+    when: always
+    paths:
+      - $REPORTS_DIR/
+    reports:
+      junit: $REPORTS_DIR/baseline-report.xml
+    expire_in: 1 week
+  only:
+    - merge_requests
+    - develop
+    - main
+  tags:
+    - docker
+
+# Full active scan (manual trigger for staging)
+zap_full_scan:
+  stage: security
+  image: docker:latest
+  services:
+    - docker:dind
+  script:
+    - mkdir -p $REPORTS_DIR
+    - |
+      docker run --rm \
+        -v $(pwd)/$REPORTS_DIR:/zap/wrk/:rw \
+        -v $(pwd)/.zap:/zap/config/:ro \
+        $ZAP_IMAGE \
+        zap-full-scan.py \
+        -t $STAGING_URL \
+        -c /zap/config/rules.tsv \
+        -r /zap/wrk/full-scan-report.html \
+        -J /zap/wrk/full-scan-report.json \
+        -x /zap/wrk/full-scan-report.xml \
+        || true
+    # Check for high-risk findings
+    - |
+      if command -v jq &> /dev/null; then
+        HIGH_COUNT=$(jq '[.site[].alerts[] | select(.risk == "High")] | length' $REPORTS_DIR/full-scan-report.json)
+        echo "High risk findings: $HIGH_COUNT"
+        if [ "$HIGH_COUNT" -gt 0 ]; then
+          echo "❌ Security scan failed: $HIGH_COUNT high-risk vulnerabilities"
+          exit 1
+        fi
+      fi
+  artifacts:
+    when: always
+    paths:
+      - $REPORTS_DIR/
+    expire_in: 4 weeks
+  only:
+    - develop
+  when: manual
+  allow_failure: false
+  tags:
+    - docker
+
+# API security scan
+zap_api_scan:
+  stage: security
+  image: docker:latest
+  services:
+    - docker:dind
+  script:
+    - mkdir -p $REPORTS_DIR
+    - |
+      if [ -f "openapi.yaml" ]; then
+        docker run --rm \
+          -v $(pwd)/$REPORTS_DIR:/zap/wrk/:rw \
+          -v $(pwd):/zap/specs/:ro \
+          $ZAP_IMAGE \
+          zap-api-scan.py \
+          -t $STAGING_URL \
+          -f openapi \
+          -d /zap/specs/openapi.yaml \
+          -r /zap/wrk/api-scan-report.html \
+          -J /zap/wrk/api-scan-report.json \
+          || true
+      else
+        echo "OpenAPI specification not found, skipping API scan"
+      fi
+  artifacts:
+    when: always
+    paths:
+      - $REPORTS_DIR/
+    expire_in: 1 week
+  only:
+    - merge_requests
+    - develop
+  allow_failure: true
+  tags:
+    - docker
+
+# Authenticated scan (requires test credentials)
+zap_authenticated_scan:
+  stage: security
+  image: python:3.11-slim
+  before_script:
+    - apt-get update && apt-get install -y docker.io
+  script:
+    - mkdir -p $REPORTS_DIR
+    - |
+      python3 scripts/zap_auth_scanner.py \
+        --target $STAGING_URL \
+        --auth-type form \
+        --login-url $STAGING_URL/login \
+        --username $TEST_USERNAME \
+        --password-env TEST_PASSWORD \
+        --output $REPORTS_DIR/authenticated-scan-report.html
+  artifacts:
+    when: always
+    paths:
+      - $REPORTS_DIR/
+    expire_in: 4 weeks
+  only:
+    - develop
+  when: manual
+  tags:
+    - docker
+
+# Security gate - check thresholds
+security_gate:
+  stage: report
+  image: alpine:latest
+  before_script:
+    - apk add --no-cache jq
+  script:
+    - |
+      if [ -f "$REPORTS_DIR/baseline-report.json" ]; then
+        HIGH_COUNT=$(jq '[.site[].alerts[] | select(.risk == "High")] | length' $REPORTS_DIR/baseline-report.json)
+        MEDIUM_COUNT=$(jq '[.site[].alerts[] | select(.risk == "Medium")] | length' $REPORTS_DIR/baseline-report.json)
+
+        echo "==================================="
+        echo "Security Scan Results"
+        echo "==================================="
+        echo "High risk findings:   $HIGH_COUNT"
+        echo "Medium risk findings: $MEDIUM_COUNT"
+        echo "==================================="
+
+        # Fail on high-risk findings
+        if [ "$HIGH_COUNT" -gt 0 ]; then
+          echo "❌ Build failed: High-risk vulnerabilities detected"
+          exit 1
+        fi
+
+        # Warn on medium-risk findings above threshold
+        if [ "$MEDIUM_COUNT" -gt 10 ]; then
+          echo "⚠️  Warning: $MEDIUM_COUNT medium-risk findings (threshold: 10)"
+        fi
+
+        echo "✅ Security gate passed"
+      else
+        echo "No scan report found, skipping security gate"
+      fi
+  dependencies:
+    - zap_baseline_scan
+  only:
+    - merge_requests
+    - develop
+    - main
+
+# Generate consolidated report
+generate_report:
+  stage: report
+  image: alpine:latest
+  before_script:
+    - apk add --no-cache jq curl
+  script:
+    - |
+      echo "# Security Scan Report" > $REPORTS_DIR/summary.md
+      echo "" >> $REPORTS_DIR/summary.md
+      echo "**Scan Date:** $(date)" >> $REPORTS_DIR/summary.md
+      echo "**Target:** $STAGING_URL" >> $REPORTS_DIR/summary.md
+      echo "" >> $REPORTS_DIR/summary.md
+      echo "## Findings Summary" >> $REPORTS_DIR/summary.md
+      echo "" >> $REPORTS_DIR/summary.md
+
+      if [ -f "$REPORTS_DIR/baseline-report.json" ]; then
+        echo "| Risk Level | Count |" >> $REPORTS_DIR/summary.md
+        echo "|------------|-------|" >> $REPORTS_DIR/summary.md
+        jq -r '.site[].alerts[] | .risk' $REPORTS_DIR/baseline-report.json | \
+          sort | uniq -c | awk '{print "| " $2 " | " $1 " |"}' >> $REPORTS_DIR/summary.md
+      fi
+
+      cat $REPORTS_DIR/summary.md
+  artifacts:
+    when: always
+    paths:
+      - $REPORTS_DIR/summary.md
+    expire_in: 4 weeks
+  dependencies:
+    - zap_baseline_scan
+  only:
+    - merge_requests
+    - develop
+    - main

package/skills/dast-zap/assets/zap_automation.yaml

@@ -0,0 +1,196 @@
+# OWASP ZAP Automation Framework Configuration
+# Complete automation workflow for web application security testing
+
+env:
+  contexts:
+    - name: WebApp-Security-Scan
+      urls:
+        - ${TARGET_URL}
+      includePaths:
+        - ${TARGET_URL}.*
+      excludePaths:
+        - .*logout.*
+        - .*signout.*
+        - .*\\.css
+        - .*\\.js
+        - .*\\.png
+        - .*\\.jpg
+        - .*\\.gif
+        - .*\\.svg
+      authentication:
+        method: form
+        parameters:
+          loginUrl: ${LOGIN_URL}
+          loginRequestData: username={%username%}&password={%password%}
+        verification:
+          method: response
+          loggedInRegex: "\\QWelcome\\E"
+          loggedOutRegex: "\\QLogin\\E"
+      sessionManagement:
+        method: cookie
+        parameters:
+          sessionCookieName: JSESSIONID
+      users:
+        - name: test-user
+          credentials:
+            username: ${TEST_USERNAME}
+            password: ${TEST_PASSWORD}
+
+  parameters:
+    failOnError: true
+    failOnWarning: false
+    progressToStdout: true
+
+  vars:
+    target_url: ${TARGET_URL}
+    api_key: ${ZAP_API_KEY}
+
+jobs:
+  # Environment setup
+  - type: environment
+    parameters:
+      deleteGlobalAlerts: true
+      updateAddOns: true
+
+  # Import OpenAPI specification (if available)
+  - type: openapi
+    parameters:
+      apiFile: ${OPENAPI_SPEC_FILE}
+      apiUrl: ${TARGET_URL}
+      targetUrl: ${TARGET_URL}
+      context: WebApp-Security-Scan
+    optional: true
+
+  # Spider crawling
+  - type: spider
+    parameters:
+      context: WebApp-Security-Scan
+      user: test-user
+      maxDuration: 10
+      maxDepth: 5
+      maxChildren: 10
+      acceptCookies: true
+      handleODataParametersVisited: true
+      parseComments: true
+      parseRobotsTxt: true
+      parseSitemapXml: true
+      parseSVNEntries: true
+      parseGit: true
+      postForm: true
+      processForm: true
+      requestWaitTime: 200
+
+  # AJAX Spider for JavaScript-heavy applications
+  - type: spiderAjax
+    parameters:
+      context: WebApp-Security-Scan
+      user: test-user
+      maxDuration: 10
+      maxCrawlDepth: 5
+      numberOfBrowsers: 2
+      browserId: firefox-headless
+      clickDefaultElems: true
+      clickElemsOnce: true
+      eventWait: 1000
+      reloadWait: 1000
+    optional: true
+
+  # Wait for passive scanning to complete
+  - type: passiveScan-wait
+    parameters:
+      maxDuration: 5
+
+  # Configure passive scan rules
+  - type: passiveScan-config
+    parameters:
+      maxAlertsPerRule: 10
+      scanOnlyInScope: true
+      enableTags: true
+      disableRules:
+        - 10096  # Timestamp Disclosure (informational)
+
+  # Active scanning
+  - type: activeScan
+    parameters:
+      context: WebApp-Security-Scan
+      user: test-user
+      policy: Default Policy
+      maxRuleDurationInMins: 5
+      maxScanDurationInMins: 30
+      addQueryParam: false
+      defaultPolicy: Default Policy
+      delayInMs: 0
+      handleAntiCSRFTokens: true
+      injectPluginIdInHeader: false
+      scanHeadersAllRequests: false
+      threadPerHost: 2
+
+  # Wait for active scanning to complete
+  - type: activeScan-wait
+
+  # Generate reports
+  - type: report
+    parameters:
+      template: traditional-html
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.html
+      reportTitle: Web Application Security Assessment
+      reportDescription: Automated DAST scan using OWASP ZAP
+      displayReport: false
+
+  - type: report
+    parameters:
+      template: traditional-json
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.json
+      reportTitle: Web Application Security Assessment
+
+  - type: report
+    parameters:
+      template: traditional-xml
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.xml
+      reportTitle: Web Application Security Assessment
+
+  - type: report
+    parameters:
+      template: sarif-json
+      reportDir: ${REPORT_DIR}
+      reportFile: security-report.sarif
+      reportTitle: Web Application Security Assessment (SARIF)
+    optional: true
+
+# Alert filters (false positive suppression)
+alertFilters:
+  - ruleId: 10021
+    newRisk: Info
+    url: ".*\\.css|.*\\.js|.*cdn\\..*"
+    context: WebApp-Security-Scan
+
+  - ruleId: 10096
+    newRisk: Info
+    url: ".*api\\..*"
+    parameter: "created_at|updated_at|timestamp"
+    context: WebApp-Security-Scan
+
+# Scan policies
+policies:
+  - name: Default Policy
+    defaultStrength: Medium
+    defaultThreshold: Medium
+    rules:
+      - id: 40018  # SQL Injection
+        strength: High
+        threshold: Low
+      - id: 40012  # Cross-Site Scripting (Reflected)
+        strength: High
+        threshold: Low
+      - id: 40014  # Cross-Site Scripting (Persistent)
+        strength: High
+        threshold: Low
+      - id: 90019  # Server-Side Code Injection
+        strength: High
+        threshold: Low
+      - id: 90020  # Remote OS Command Injection
+        strength: High
+        threshold: Low

package/skills/dast-zap/assets/zap_context.xml

@@ -0,0 +1,192 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  OWASP ZAP Authentication Context Template
+  Configure this file for form-based, HTTP, or script-based authentication
+-->
+<configuration>
+    <context>
+        <!-- Context Name -->
+        <name>WebApp-Auth-Context</name>
+        <desc>Authentication context for web application security testing</desc>
+
+        <!-- Enable context -->
+        <inscope>true</inscope>
+
+        <!-- URL Scope Definition -->
+        <!-- Include all URLs under target domain -->
+        <incregexes>https://app\.example\.com/.*</incregexes>
+
+        <!-- Exclude logout and static content -->
+        <excregexes>https://app\.example\.com/logout</excregexes>
+        <excregexes>https://app\.example\.com/signout</excregexes>
+        <excregexes>https://app\.example\.com/static/.*</excregexes>
+        <excregexes>.*\.css</excregexes>
+        <excregexes>.*\.js</excregexes>
+        <excregexes>.*\.png|.*\.jpg|.*\.gif</excregexes>
+
+        <!-- Technology Detection -->
+        <tech>
+            <include>Language</include>
+            <include>Language.JavaScript</include>
+            <include>OS</include>
+            <include>OS.Linux</include>
+            <include>WS</include>
+        </tech>
+
+        <!-- Authentication Configuration -->
+        <authentication>
+            <!--
+              Authentication Types:
+              - formBasedAuthentication: Traditional login forms
+              - httpAuthentication: HTTP Basic/Digest/NTLM
+              - scriptBasedAuthentication: Custom authentication via script
+            -->
+            <type>formBasedAuthentication</type>
+
+            <!-- Form-Based Authentication -->
+            <form>
+                <!-- Login URL -->
+                <loginurl>https://app.example.com/login</loginurl>
+
+                <!-- Login Request Body (POST parameters) -->
+                <!-- Use {%username%} and {%password%} as placeholders -->
+                <loginbody>username={%username%}&amp;password={%password%}&amp;csrf_token={%csrf_token%}</loginbody>
+
+                <!-- Login Page URL (where login form is displayed) -->
+                <loginpageurl>https://app.example.com/login</loginpageurl>
+            </form>
+
+            <!-- HTTP Authentication (uncomment if using) -->
+            <!--
+            <http>
+                <realm>Protected Area</realm>
+                <hostname>app.example.com</hostname>
+                <port>443</port>
+            </http>
+            -->
+
+            <!-- Logged-In Indicator (regex pattern that appears when logged in) -->
+            <!-- This helps ZAP determine if authentication succeeded -->
+            <loggedin>\QWelcome,\E</loggedin>
+            <!-- Alternative patterns:
+            <loggedin>\QLogout\E</loggedin>
+            <loggedin>\Qdashboard\E</loggedin>
+            <loggedin>class="user-menu"</loggedin>
+            -->
+
+            <!-- Logged-Out Indicator (regex pattern that appears when logged out) -->
+            <loggedout>\QYou are not logged in\E</loggedout>
+            <!-- Alternative patterns:
+            <loggedout>\QLogin\E</loggedout>
+            <loggedout>\QSign In\E</loggedout>
+            -->
+
+            <!-- Poll URL for verification (optional) -->
+            <pollurl>https://app.example.com/api/session/verify</pollurl>
+            <polldata></polldata>
+            <pollfreq>60</pollfreq>
+        </authentication>
+
+        <!-- Session Management -->
+        <sessionManagement>
+            <!--
+              Session Management Types:
+              - cookieBasedSessionManagement: Session via cookies (most common)
+              - httpAuthSessionManagement: HTTP authentication
+              - scriptBasedSessionManagement: Custom session handling
+            -->
+            <type>cookieBasedSessionManagement</type>
+
+            <!-- Session cookies to monitor -->
+            <sessioncookies>
+                <cookie>JSESSIONID</cookie>
+                <cookie>PHPSESSID</cookie>
+                <cookie>sessionid</cookie>
+                <cookie>session_token</cookie>
+            </sessioncookies>
+        </sessionManagement>
+
+        <!-- Test Users -->
+        <users>
+            <!-- User 1: Standard test user -->
+            <user>
+                <name>testuser</name>
+                <enabled>true</enabled>
+                <credentials>
+                    <credential>
+                        <name>username</name>
+                        <value>testuser</value>
+                    </credential>
+                    <credential>
+                        <name>password</name>
+                        <value>TestPassword123!</value>
+                    </credential>
+                    <!-- CSRF token (if needed) -->
+                    <!--
+                    <credential>
+                        <name>csrf_token</name>
+                        <value></value>
+                    </credential>
+                    -->
+                </credentials>
+            </user>
+
+            <!-- User 2: Admin user (if testing authorization) -->
+            <user>
+                <name>adminuser</name>
+                <enabled>false</enabled>
+                <credentials>
+                    <credential>
+                        <name>username</name>
+                        <value>adminuser</value>
+                    </credential>
+                    <credential>
+                        <name>password</name>
+                        <value>AdminPassword123!</value>
+                    </credential>
+                </credentials>
+            </user>
+        </users>
+
+        <!-- Forced User Mode (for authorization testing) -->
+        <!--
+          Enables testing if authenticated user can access resources
+          they shouldn't have access to
+        -->
+        <forcedUserMode>false</forcedUserMode>
+
+        <!-- Data Driven Nodes -->
+        <!--
+          For testing parameters with different values
+        -->
+        <datadrivennodes>
+            <node>
+                <name>user_id</name>
+                <url>https://app.example.com/api/users/{user_id}</url>
+            </node>
+        </datadrivennodes>
+    </context>
+
+    <!-- Global Exclude URLs (applied to all contexts) -->
+    <globalexcludeurl>
+        <regex>https://.*\.googleapis\.com/.*</regex>
+        <regex>https://.*\.google-analytics\.com/.*</regex>
+        <regex>https://.*\.googletagmanager\.com/.*</regex>
+        <regex>https://cdn\..*</regex>
+    </globalexcludeurl>
+
+    <!-- Anti-CSRF Token Configuration -->
+    <anticsrf>
+        <!-- Enable anti-CSRF token handling -->
+        <enabled>true</enabled>
+
+        <!-- Token names to automatically detect and handle -->
+        <tokennames>
+            <tokenname>csrf_token</tokenname>
+            <tokenname>csrftoken</tokenname>
+            <tokenname>_csrf</tokenname>
+            <tokenname>authenticity_token</tokenname>
+            <tokenname>__RequestVerificationToken</tokenname>
+        </tokennames>
+    </anticsrf>
+</configuration>

package/skills/dast-zap/references/EXAMPLE.md

@@ -0,0 +1,40 @@
+# Reference Document Template
+
+This file contains detailed reference material that Claude should load only when needed.
+
+## Table of Contents
+
+- [Section 1](#section-1)
+- [Section 2](#section-2)
+- [Security Standards](#security-standards)
+
+## Section 1
+
+Detailed information, schemas, or examples that are too large for SKILL.md.
+
+## Section 2
+
+Additional reference material.
+
+## Security Standards
+
+### OWASP Top 10
+
+Reference relevant OWASP categories:
+- A01: Broken Access Control
+- A02: Cryptographic Failures
+- etc.
+
+### CWE Mappings
+
+Map to relevant Common Weakness Enumeration categories:
+- CWE-79: Cross-site Scripting
+- CWE-89: SQL Injection
+- etc.
+
+### MITRE ATT&CK
+
+Reference relevant tactics and techniques if applicable:
+- TA0001: Initial Access
+- T1190: Exploit Public-Facing Application
+- etc.