feat: [DTOSS-9089] add separate ZAP Baseline scans for API and Website targets, with supporting Azure DevOps pipeline and Slack summary notifications

[nc-shahidazim]

Description

This PR introduces two dedicated ZAP Baseline scanning implementations - one for API endpoints and one for website URL -along with a new Azure DevOps pipeline to orchestrate both scans and deliver a combined Slack summary notification through the dtos-devops-templates Slack integration.

Context

As part of improving our security scanning across DTOS services, we identified that both API endpoints and website/front‑end URLs require regular vulnerability scanning, but use different access patterns and therefore need different scanning approaches. Previously, no automated or centralised mechanism existed to run these scans consistently, nor to distribute results to engineering teams.

APIs often require subscription keys, while websites do not, and both types of services may be deployed independently. To support these differences, this work introduces two dedicated ZAP Baseline implementations - one for APIs and one for websites - each tailored to its respective target type.

To streamline execution and ensure visibility, a new Azure DevOps pipeline was added. This pipeline orchestrates both scans, aggregates results, publishes ZAP reports, and sends a consolidated Slack summary notification using dtos-devops-templates. This enables engineering teams to quickly understand scan outcomes without needing to manually inspect artifacts.

This PR establishes the foundation for automated baseline scanning across DTOS applications and provides a consistent delivery mechanism for reporting findings.

What's changed

1. Added dedicated scripts for API and Website ZAP scanning
   Two standalone Bash scripts were introduced:

   • API scan
     • Targets individual API endpoints.
     • Uses zap-api-scan.py (without OpenAPI definition).
     • Supports an API subscription key header when needed.
   • Website scan
     • Targets website or frontend URLs.
     • Uses zap-baseline.py with no authentication headers.

   Both scripts share standardised behaviour for validation, execution, logging, and report output.

2. Introduced Azure DevOps pipeline to orchestrate both scans
   A new pipeline was added to:

   • Execute API and website scans based on parameters
   • Store ZAP reports under zap-reports/
   • Parse api.xml/web.xml to extract High/Medium alert counts
   • Determine scan status per target
   • Combine results into one final summary
   • Publish artifacts for consumption
   • Does not fail the build based on ZAP results (non‑gating), but include the ZAP results overall outcome in Slack notification

   This enables structured, repeatable execution across environments.

3. Added Slack notifications with summary
   The pipeline sends a single consolidated message that includes:

   • ZAP results overall outcome (passed or failed)
   • API scan alert counts
   • Website scan alert counts
   • Environment, Requested by and Branch
   • Direct link to pipeline run
   • Failed or Skipped stages

   This improves visibility and provides teams with immediate context.

4. General improvements

   • Consistent error handling and argument validation across scripts
   • Directory preparation and permission handling for container writes
   • Docker availability check
   • Clear logging of scan start, exit code, and report location

Evidence

A generated Slack notification:

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[github-actions]

Unit Test Results

✔️ Tests 980 / 980 - passed in 69.4s
📝 Coverage 47.01%
📏 4759 / 10426 lines covered 🌿 1167 / 2180 branches covered
🔍 click here for more details

✏️ updated for commit 1eb6453

[sonarqubecloud]

Quality Gate passed

Issues
13 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud