Security Glossary

OWASP ZAP

A free, open-source web security scanner from OWASP with proxy, automated scanning, and CI/CD integration capabilities.

OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner maintained by OWASP. It's designed for finding vulnerabilities in web applications during development and testing.

Key Features

  • Intercepting Proxy: View and modify requests/responses
  • Active Scanner: Automated vulnerability scanning
  • Passive Scanner: Non-intrusive issue detection
  • Spidering: Automatic site crawling
  • Fuzzer: Parameter manipulation testing
  • Forced Browse: Directory enumeration

Usage Modes

# Desktop GUI
zap.sh

# Headless/daemon mode with API on port 8080
zap.sh -daemon -port 8080

# Run an Automation Framework plan (declarative jobs in YAML)
zap.sh -cmd -autorun plan.yaml

# Docker (current image; the old owasp/zap2docker-* images are retired)
docker run -t ghcr.io/zaproxy/zaproxy zap-baseline.py -t http://target.com
# Docker Hub mirror: zaproxy/zap-stable

Drive ZAP through the built-in zap.sh command line and its REST API, or the Automation Framework, rather than the old third-party zap-cli, which is deprecated and unmaintained.

Packaged Scan Scripts

# Baseline: passive scan only, CI-friendly
zap-baseline.py -t http://target.com

# Full: adds the active scanner
zap-full-scan.py -t http://target.com

# API scan from an OpenAPI/SOAP/GraphQL definition
zap-api-scan.py -t http://target.com/openapi.json -f openapi

CI/CD Integration

ZAP ships Docker images and the packaged scan scripts for Jenkins, GitLab CI, GitHub Actions, and other pipelines. The Automation Framework lets you version the whole scan plan (contexts, jobs, thresholds) as YAML in the repository.

Notes

  • Free and open source under the OWASP project, so no licensing gate on CI runners.
  • Add-on marketplace for extra scan rules, scripting engines, and protocol support.
  • Scriptable end to end via the REST API for custom automation.

See Also