The repository is supposed to implement SAST+DAST checks using github actions against a vulnerable python application which allows RCE. Goal is to detect it before it gets pushed into production.
- Python vulnerable RCE application
- Github actions (executes on PR to main/master branch)
- Implement SAST using bandit
- Implement DAST using OWASP ZAP (need app deployed somewhere - k8s to the rescue!)
- Deploy application using Kubernetes for OWASP ZAP scan
- Post gist of found vulnerabilities in Slack
- SAST - Use hashicorp vault to reference slack bot credentials
- DAST - Use hashicorp vault to reference slack bot credentials