edercnj/x-run-dynamic-pentest

Skill: x-run-dynamic-pentest

Dynamic Application Security Testing (DAST) gate. Reads QualityConfig.dast, selects the appropriate scan tier, and dispatches OWASP ZAP and/or Nuclei against the configured target environment. Produces a SARIF 2.1.0 report + Markdown summary.

Production target is explicitly forbidden. The gate rejects target=production at parse time (enforced by DastConfig constructor — DAST_TARGET_PRODUCTION_FORBIDDEN).

Two tiers:

• smoke (PR gate) — ZAP passive scan (read-only spider) + Nuclei top-50 lightweight templates. ~10 min.
• full (nightly) — ZAP active scan (injection payloads: SQLi, XSS, path traversal) + complete Nuclei template set. ~35 min.

Triggers

• /x-run-dynamic-pentest story-0073-0003 — auto-detects tier from quality.dast.tier-pr (smoke) or CI env (full)
• /x-run-dynamic-pentest story-0073-0003 --tier smoke — force smoke tier
• /x-run-dynamic-pentest story-0073-0003 --tier full — force full tier
• /x-run-dynamic-pentest story-0073-0003 --zap-only — run ZAP only (skip Nuclei)
• /x-run-dynamic-pentest story-0073-0003 --nuclei-only — run Nuclei only (skip ZAP)

Parameters

| Flag | Type | Default | Description | | :--- | :--- | :--- | :--- | | STORY-ID | String | — | Required. Story being gated. | | --tier | Enum | from config | Override tier (smoke or full). | | --target | Enum | from config | Override target environment. Production rejected. | | --zap-only | Boolean | false | Skip Nuclei; run ZAP only. | | --nuclei-only | Boolean | false | Skip ZAP; run Nuclei only. | | --compliance | String | from config | Override compliance frameworks (comma-separated: pci,lgpd). | | --report | String | auto | Output SARIF report path. |

Phase 1 — Parse & Validate

Read quality.dast from project YAML. Validate:

1. enabled: true — if false, emit WARN: DAST gate disabled and exit 0.
2. target != production — enforced by DastConfig constructor; if somehow reached here, exit 2 DAST_TARGET_PRODUCTION_FORBIDDEN.
3. ZAP binary present when zap.enabled: true: docker pull ghcr.io/zaproxy/zaproxy:stable or local zap.sh.
4. Nuclei binary present when nuclei.enabled: true: nuclei --version.
5. templates-version pinned format (vN.x or vN.M.P) — validated by NucleiConfig constructor; exit 2 NUCLEI_VERSION_UNPINNED if reached.

Phase 2 — Execute Scans

ZAP Passive (smoke tier)

docker run --rm ghcr.io/zaproxy/zaproxy:stable \
  zap-baseline.py \
  -t <TARGET_URL> \
  -r /zap/wrk/zap-report.html \
  -x /zap/wrk/zap-report.xml \
  --autooff \
  -I                   # informational only — does not fail on alerts

Convert ZAP XML output to SARIF 2.1.0 via zap2sarif or inline jq transformation.

ZAP Active (full tier)

docker run --rm ghcr.io/zaproxy/zaproxy:stable \
  zap-full-scan.py \
  -t <TARGET_URL> \
  -r /zap/wrk/zap-active-report.html \
  -x /zap/wrk/zap-active-report.xml \
  -z "-config scanner.attackStrength=HIGH" \
  -l HIGH              # fail on HIGH+ findings

Active scan policy applied from zap.active-scan-policy:

• default — standard OWASP Top 10 payloads
• custom-pci — PCI-DSS scope (SQLi, XSS, auth bypass emphasis)
• custom-lgpd — LGPD scope (data exposure, access control)

Nuclei Scan

nuclei \
  -t community-nuclei-templates \
  -u <TARGET_URL> \
  -severity medium,high,critical \
  -json-export /tmp/nuclei-results.json \
  -silent

For smoke tier: -tags top-50 (lightweight template subset, 2-3 min). For full tier: full template set (10+ min).

Phase 3 — Consolidate & Report

Merge ZAP + Nuclei SARIF outputs into a single results/security/dast/dast-<tier>-<date>.sarif conformant with SARIF 2.1.0 schema.

Produce Markdown report at .aikittools/features/feature-XXXX/reports/dast-report-STORY-ID.md using _TEMPLATE-PENTEST-PLAN.md as base structure.

Gate decision:

| Tier | Blocks on | | :--- | :--- | | smoke (PR gate) | CRITICAL findings only | | full (nightly) | HIGH or CRITICAL findings |

When blocked: exit 1 DAST_FINDINGS_CRITICAL (smoke) or DAST_FINDINGS_HIGH (full). When compliance flag set (--compliance pci): additional PCI-specific checks applied.

Exit Codes

| Exit | Code | Condition | | :--- | :--- | :--- | | 0 | OK | No blocking findings (or gate disabled). | | 1 | DAST_FINDINGS_HIGH | HIGH/CRITICAL findings above threshold. | | 2 | OPERATIONAL_ERROR | Tool missing, target unreachable, or binary absent. | | 3 | DAST_TARGET_PRODUCTION_FORBIDDEN | target=production attempted. |

Integration Notes

• Invoked by x-implement-story Phase 3.Q when quality.dast.enabled=true (conditional gate — Rule 24).
• Evidence artifact: .aikittools/features/feature-XXXX/reports/dast-report-STORY-ID.md (Rule 24 §Mandatory Evidence Artifacts).
• SARIF output: results/security/dast/dast-{smoke|full}-YYYY-MM-DD.sarif (SARIF 2.1.0).
• See KP knowledge/shared/security-knowledge/dast-playbook/knowledge.md for finding remediation guidance, Nuclei curation policy, and ZAP active scan policy tuning.