Cognitive Dast Automation

🚀 Cognitive DAST Testing Automation

Automated Dynamic Application Security Testing (DAST) using OWASP ZAP proxy with cognitive analysis powered by Google Gemini AI via MCP.

🚀 Quick Start

1. Install Dependencies

pip install -r requirements.txt

2. Configure Environment

cp config/.env.example .env
# Edit .env with your API keys

3. Start OWASP ZAP

# Docker
docker run -p 8080:8080 owasp/zap2docker-stable zap.sh -config api.disablekey=true

# Or local installation
zaproxy -config api.disablekey=true

4. Run Scan

python -m mcp_dast.cli.main scan \
  --target http://example.com \
  --gemini-key YOUR_GEMINI_KEY \
  --output results.json \
  --format json

✨ Features

• Automated DAST Scanning: Full integration with OWASP ZAP proxy.
• Cognitive Analysis: AI-powered analysis of security findings using Gemini.
• MCP Server: Model Context Protocol implementation for AI tool integration.
• CLI Interface: Command-line tools for scan execution and management.
• Risk Scoring: Automated risk assessment and prioritization.
• Multiple Formats: JSON and SARIF output for CI/CD and industry-standard reporting.
• SARIF Support: Compatible with GitHub Security, Defender for Cloud, SonarQube.

📦 Components

MCP DAST Server

• Core server implementing Model Context Protocol.
• Coordinates ZAP scanning and Gemini analysis.
• Async/await support for non-blocking operations.

ZAP Integration

• OWASP ZAP proxy client.
• API-based scanning automation.
• Alert aggregation and classification.

Gemini AI Analyzer

• Security finding analysis.
• Cognitive assessment of vulnerabilities.
• Remediation recommendations.
• Business impact analysis.

CLI Tools

• scan: Run complete DAST assessment.
• status: Check scan progress.
• configure: Setup configuration.

💻 Usage Examples

Basic Usage

Basic Scan (JSON output)

python -m mcp_dast.cli.main scan --target http://target.com --gemini-key $GEMINI_KEY --output results.json

SARIF Output (GitHub Actions compatible)

python -m mcp_dast.cli.main scan --target http://target.com --gemini-key $GEMINI_KEY --output results.sarif --format sarif

Advanced Usage

Check Scan Status

python -m mcp_dast.cli.main status --scan-id abc123

With Custom Configuration

python -m mcp_dast.cli.main scan \
  --target http://target.com \
  --zap-host 192.168.1.100 \
  --zap-port 8080 \
  --gemini-key $GEMINI_KEY \
  --output scan-results.json \
  --format json

📚 Documentation

Output Formats

JSON Format

Results include:

• Raw ZAP scan findings (alerts, risk levels).
• Cognitive analysis from Gemini AI.
• Risk scores and severity assessments.
• Remediation priorities.
• Recommended actions.

SARIF Format

Industry-standard format (OWASP/SARIF 2.1.0):

• Compatible with GitHub Security Code Scanning.
• Compatible with Microsoft Defender for Cloud.
• Compatible with SonarQube and other tools.
• Full vulnerability metadata and remediation guidance.

For detailed format information, see OUTPUT_FORMATS.md.

{
  "scan_id": "12345",
  "target_url": "http://example.com",
  "raw_results": {
    "high_alerts": 2,
    "medium_alerts": 5,
    "low_alerts": 8
  },
  "cognitive_analysis": {
    "risk_score": 72.5,
    "severity_assessment": "High",
    "remediation_priority": [...],
    "recommended_actions": [...]
  }
}

Configuration

ZAP Configuration

• ZAP_HOST: Proxy host (default: localhost).
• ZAP_PORT: Proxy port (default: 8080).
• ZAP_API_KEY: Optional API key.
• ZAP_TIMEOUT: Request timeout.

Gemini Configuration

• GEMINI_API_KEY: Your Google Gemini API key.
• GEMINI_MODEL: Model selection (default: gemini-1.5-flash).

Architecture

The system implements a 4-layer layered architecture with clear separation of concerns:

┌─────────────────────────────────────────┐
│   Presentation Layer (CLI Interface)    │
│   User commands & interaction point     │
└─────────────────────────────────────────┘
                    ↓
┌─────────────────────────────────────────┐
│ Application Layer (Orchestration)       │
│ Scan, analysis, reporting orchestration │
└─────────────────────────────────────────┘
                    ↓
┌─────────────────────────────────────────┐
│ Integration Layer (Adapters)            │
│ ZAP, Gemini, Output formatting          │
└─────────────────────────────────────────┘
                    ↓
┌─────────────────────────────────────────┐
│ Infrastructure Layer (Storage)          │
│ Config, cache, persistent storage       │
└─────────────────────────────────────────┘

Architecture Diagrams: Start with reference-architecture.puml - then explore:

• system-architecture.puml - Component overview.
• component-interaction.puml - Detailed interactions.
• scan-sequence.puml - Execution flow.
• data-flow.puml - Data transformations.
• class-diagram.puml - OOP design.
• deployment.puml - Infrastructure.
• workflow.puml - Process flow.

MCP DAST Server
├── ZAP Client (OWASP Proxy)
│   └── Scan Management & Alert Collection
├── Gemini Analyzer (AI Analysis)
│   └── Cognitive Assessment & Recommendations
└── CLI Interface
    └── User-facing Commands

Requirements

• Python 3.9+.
• OWASP ZAP 2.12+.
• Google Gemini API key (free tier available).
• Required packages: see requirements.txt.

Testing

pytest tests/
pytest tests/ --cov=src

Development

Project Structure

├── src/mcp_dast/
│   ├── zap/           # OWASP ZAP integration
│   ├── gemini/        # Gemini AI analyzer
│   ├── cli/           # CLI interface
│   └── server.py      # MCP server
├── tests/             # Test suite
├── config/            # Configuration files
├── docs/              # Documentation
└── pyproject.toml     # Poetry configuration

Running Locally

# Install in development mode
pip install -e .

# Run tests
pytest

# Format code
black src/

# Lint
ruff check src/

Security Considerations

• Never commit API keys to version control.
• Use environment variables for sensitive configuration.
• Validate and sanitize all inputs.
• Keep ZAP and dependencies updated.

📄 License

MIT

Support

For issues and feature requests, please open an issue on the project repository.