How to configure OWASP ZAP for automated vulnerability scans

Question

I am setting up OWASP ZAP to perform automated vulnerability scans on web applications but need guidance on:

How to configure ZAP for headless scanning via CLI.
Automating scans in a CI/CD pipeline.
Generating structured reports (e.g., JSON, XML) for further analysis.

If anyone has experience with scripting ZAP scans using Python or integrating it with Jenkins/GitHub Actions, I’d appreciate the insights.

CaLLmeDaDDY · Answer 1 · Feb 21

Configuring OWASP Zed Attack Proxy (ZAP) for automated vulnerability scanning involves several key steps: setting up headless scanning via the Command Line Interface (CLI), integrating ZAP into Continuous Integration/Continuous Deployment (CI/CD) pipelines, and generating structured reports for analysis. Below is a comprehensive guide to achieve these objectives.

1. Configuring ZAP for Headless Scanning via CLI

Running ZAP in headless mode is essential for automation, as it allows scans to be executed without a graphical user interface. Here's how to set it up:

Using Docker: Deploying ZAP with Docker simplifies the setup process.

  docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

This command starts ZAP in daemon mode, listening on all network interfaces (0.0.0.0) at port 8080, and configures the API to accept requests from any address.

Using Direct Installation: If Docker is not an option, you can run ZAP directly:
- On Windows: Navigate to the ZAP installation directory and execute:
```
zap.bat -daemon
```
- On macOS/Linux: Run:
```
./zap.sh -daemon
```
These commands initiate ZAP in daemon mode, ready to accept API commands.

2. Automating Scans in a CI/CD Pipeline

Integrating ZAP into your CI/CD pipeline ensures continuous security assessment of your web applications. Here's how to achieve this with popular tools:

GitHub Actions:

Create a workflow file (e.g., .github/workflows/zap_scan.yml) in your repository:

  name: OWASP ZAP Scan

  on: [push]

  jobs:
    zap_scan:
      runs-on: ubuntu-latest
      steps:
        - name: Checkout code
          uses: actions/checkout@v2

        - name: Run OWASP ZAP Baseline Scan
          uses: zaproxy/action-baseline@v0.4.0
          with:
            token: ${{ secrets.GITHUB_TOKEN }}
            target: 'http://your-application-url'
            rules_file_name: '.zap/rules.yaml'
          continue-on-error: true

        - name: Upload ZAP Report
          if: always()
          uses: actions/upload-artifact@v2
          with:
            name: zap_report
            path: owasp-zap-report.html

This workflow triggers a ZAP baseline scan on every code push and uploads the resulting report as an artifact.

Jenkins:

To integrate ZAP with Jenkins:
1. Install ZAP and the ZAP Jenkins Plugin:
  - Ensure ZAP is installed on the Jenkins server.
  - Navigate to Manage Jenkins > Manage Plugins > Available tab, search for "OWASP ZAP", and install the plugin.
2. Configure a Jenkins Job:
  - Create a new Freestyle project.
  - In the build steps, add "Execute ZAP" under the "Build" section.
  - Configure the ZAP step with your target URL and desired scan type (e.g., Spider, Active Scan).
3. Post-Build Actions:
  - Add actions to publish the generated ZAP report, such as using the "Publish HTML Reports" plugin.
This setup enables automated security scans as part of your Jenkins build process.

3. Generating Structured Reports for Analysis

After completing scans, generating reports in structured formats like JSON or XML is crucial for further analysis. Here's how to do it:

Using ZAP CLI:

zap-cli --zap-url http://localhost:8080 --api-key <your-api-key> report -o zap_report.json -f json

This command generates a JSON-formatted report of the scan results.

Using ZAP API with Python:

  from zapv2 import ZAPv2

  zap = ZAPv2(apikey='your-api-key', proxies={'http': 'http://localhost:8080', 'https': 'http://localhost:8080'})

  # Generate JSON report
  report = zap.core.jsonreport()
  with open('zap_report.json', 'w') as report_file:
      report_file.write(report)

This script connects to the ZAP instance and retrieves the scan report in JSON format.

4. Scripting ZAP Scans Using Python

Automating ZAP scans with Python provides flexibility and control over the scanning process. Here's an example:

from zapv2 import ZAPv2
import time

# Initialize ZAP connection
zap = ZAPv2(apikey='your-api-key', proxies={'http': 'http://localhost:8080', 'https': 'http://localhost:8080'})

target_url = 'http://your-application-url'

# Access the target URL
zap.urlopen(target_url)
time.sleep(2)  # Allow time for the page to load

# Start the spidering process
print('Spidering target {}'.format(target_url))
scan_id = zap.spider.scan(target_url)
time.sleep(2)

# Monitor the progress of the spider
while int(zap.spider.status(scan_id)) < 100:
    print('Spider progress: {}%'.format(zap.sp
::contentReference[oaicite:4]{index=4}