v2.7.0

RapiDAST core changes

• Add a function to remove recursive ref in OpenAPI documents (#201)

Scanners changes

• ZAP: add HTTP Header authentication method (#203)
• ZAP: add browser authentication method (#209)
• ZAP: add warning in the ‘none’ container mode when there is little shared memory (#199)
• ZAP: check pid limits for running AjaxSpider and warn/remove the limits (#200)
• oobtkube: add INFO logs to show test progress (#202)
• oobtkube: handle socket_timeout (#206)
• oobtkube: suppress kube API errors unless debug logging (#204)
• oobtkube: add a check for authentication to the Kubernetes cluster (#208)

v2.6.0

Features:

• Store results in external storage (GCP) for asynchronous consumption

Fixes:

• Fixed issue with ZAP path in the config template for MacOS due to ZAP no longer being part of OWASP
• Updated Zap default image URL to the latest one
• [ZAP] Ajax spider requires a lot of shared memory
• Resolved crawl failure issue specific to OpenShift environments

v2.5.1

v2.5.1 changes:

• Fixed an issue that fails scans where a proxy is used in a certain scenario
• Fixed an issue that Ajax spider fails in a Jenkins environment
• Submerged the oobtkube script’s debug messages

v2.5.0

v2.5.0 changes:

• Added Aqua Trivy which can scan cluster, workload and container images
• Added Trivy scan configuration template files
• Added a script to convert Trivy k8s scan result to SARIF for DefectDojo integration
• added Redocly which can resolve $ref in OpenAPI document
• The base directory for Helm scan has changed to ‘/opt/rapidast/results‘
• Upgraded ZAP to v2.14
• Updated README with instruction to help with handling large size OpenAPI documents

v2.4.0

v2.4.0 changes:

• An experimental generic scanner - oobtkube - has been added, which can scan Kubernetes Operators controller with a relevant CR config file input
• The default container.type mode has changed to 'none' from ‘podman’. Generic scanners can run on the ‘none’ container.type mode as well (previously only supported for the ‘podman’ mode)
• generic scanner results(in the SARIF format) now can be exported to Defect Dojo
• accepts report.format as string
• RapiDAST image size has been reduced by half thanks to @lunarwhite
• The directory path where the scan policy(scanPolicyXML) of the default Helm chart values.yaml file copies into has changed to /opt/rapidast/scanners/zap/policies/ in the RapiDAST image. This is to fix a permission error.
• Added error handling when apiUrl or apiFile is not specified

v2.3.0

RapiDAST core changes:

• Added Jenkins integration job examples
• RapiDAST now can run user-defined scanners and store their results. (container.type: podman mode only)
• Upgrade to ZAP 2.13.0 and include Firefox ESR for Ajax spidering in the RapiDAST container image
• new config templates with separate generic plugin
• rapidast-defaults.yaml can be used to set default options
• Fixed an OCI error on MacOS
• [DefectDojo integration] Handling timeout
• [DefectDojo integration] adding SSL verification management

ZAP scanning configuration related changes:

• added new active scan policies
• allow user to override default Java max heap
• add the option to optionally download schemas
• fixed a ZAP’s issue if the target URL does not end with ‘/’
• support to disable all passive scanner rules
• fixed an issue that passive scanner rule is not disabled in certain environments
• added overrideConfigs option
• Added ability to install specific addons
• Added preauth option to oauth2-rtoken authentication to help in a few environments

v2.2.1

RapiDAST v2.2.1 changes:

• Adds git package to rapidast image (now Containerfile.multiuser merged into Containerfile)
• Helm chart updated to be able to work with the new Containerfile
• Allows for a scanner to be run multiple times (good for run both authenticated and unauthenticated scans with a single config file)
• store zap.log file with the result files for better troubleshooting

v2.2.0

RapiDAST v2.2.0 changes:

• Fixed the issue that a missing OWASP DefectDojo config resulted in an error
• More support for running a scan with Podman on MacOS
• Be able to run a scan within the running pod (a sidecar pattern)
• Added ability to scan with a remote config file
• Added 'verbose log level with more error handlings to help troubleshooting
• Added containerfile for multiuser environment's use
• added workaround for OWASP ZAP 2.12.0 issue which deletes installed add-ons

v2.1.0

RapiDAST v2.1.0 changes:

• support GraphQL API scanning feature (backed by OWASP ZAP)
• be able to run scanners using Flatpak.
• support 'import' job feature (backed by OWASP ZAP)
• support include and exclude urls (backed by OWASP ZAP)
• added the 'oauth2OpenapiManualDownload' option
• support http_header authentication (backed by OWASP ZAP)
• appending '_from_var' to the config entry allows to refer to environment variables ( useful for not putting secrets inside the configuration)
• [experimental] support integration with OWASP Defect Dojo
• configVersion has been changed now to '4'

v2.0.0

Refactored architecture focused on improving simplicity, extendibility and quality.

• Provides a simpler configuration format
• Provides an extensible framework to support multiple scanners
• Adds pytest and the pre-commit hook to ensure the code is provided clean with good quality
• Supports localhost scanning mode to run scanners installed on the host (previously using podman/docker was mandatory)
• Supports authentication configuration through RapiDAST configuration (previously custom scripts required)
• Supports spider/crawling through RapiDAST configuration
• Supports reports in SARIF format in addition to the previous JSON, XML and HTML ones
• Supports OWASP ZAP v2.12(previously: 2.11)
• quay.io/redhatproductsecurity/rapidast:2.0.0 image is available along with a Helm chart to help run RapiDAST scans on Kubernetes/OpenShift