A free, open-source web security scanner from OWASP with proxy, automated scanning, and CI/CD integration capabilities.
OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner maintained by OWASP. It's designed for finding vulnerabilities in web applications during development and testing.
# Desktop GUI
zap.sh
# Headless/daemon mode with API on port 8080
zap.sh -daemon -port 8080
# Run an Automation Framework plan (declarative jobs in YAML)
zap.sh -cmd -autorun plan.yaml
# Docker (current image; the old owasp/zap2docker-* images are retired)
docker run -t ghcr.io/zaproxy/zaproxy zap-baseline.py -t http://target.com
# Docker Hub mirror: zaproxy/zap-stable
Drive ZAP through the built-in zap.sh command line and its REST API, or the Automation Framework, rather than the old third-party zap-cli, which is deprecated and unmaintained.
# Baseline: passive scan only, CI-friendly
zap-baseline.py -t http://target.com
# Full: adds the active scanner
zap-full-scan.py -t http://target.com
# API scan from an OpenAPI/SOAP/GraphQL definition
zap-api-scan.py -t http://target.com/openapi.json -f openapi
ZAP ships Docker images and the packaged scan scripts for Jenkins, GitLab CI, GitHub Actions, and other pipelines. The Automation Framework lets you version the whole scan plan (contexts, jobs, thresholds) as YAML in the repository.