Purpleteam-s2-containers dynamically deploy Stage Two OWASP PurpleTeam containers to automate application security scanning and testing.
Stage Two containers of OWASP PurpleTeam
This tool is designed for security professionals and DevSecOps teams who want to automate vulnerability scanning within their application testing workflows using OWASP PurpleTeam's Stage Two containers. It enables dynamic container orchestration based on defined scanning jobs, facilitating integration of security automation in local or cloud environments.
Ensure the ZAP_API_KEY is consistently configured both in the app-emissary environment and the app-scanner project configuration to enable authentication. For local debugging, uncomment volume mounts for LOG4J properties to enable detailed Zap debug logs. The tool depends on the orchestrator setup for ephemeral file handling and environment variable consistency. Cloud deployments handle these configurations automatically.
Clone the repository: git clone https://github.com/purpleteam-labs/purpleteam-s2-containers
Navigate to the app-emissary directory
Rename .env.example to .env and configure environment variables accordingly
Set ZAP_API_KEY to a chosen value and ensure it matches the app-scanner project configuration
Set HOST_DIR_APP_SCANNER to the directory used by the App Tester for ephemeral files
Set ZAP_DIR_APP_SCANNER_MOUNT_TARGET to the mount target directory inside the container
Optionally configure HOST_ZAP_LOG4J_PROPERTIES_PATH and ZAP_LOG4J_PROPERTIES_PATH_MOUNT_TARGET for debug logging
Run containers locally or rely on cloud orchestration for automated setupdocker stats
Check running appemissary_zap_[n] containers and their resource usage
Interact with Zap API via browser
Query and monitor the state of the Zap scanner container during tests