ZAP 2.11.0

Posted 490 Words

ZAP 2.11.0 (also known as the OWASP 20th anniversary release) is available now.

Major changes include:

Alert Tags

Alerts can now be tagged with arbitrary keys or key=value pairs - this can be done via the desktop GUI and the API.

All of the active and passive scan rules have been updated to include tags for the OWASP Top 10 2021 and 2017. These tags are also shown on the Alert Details pages.

Automation Framework

The Automation Framework is a new way to automate ZAP and is expected to become the default option for most automation use cases.

While the framework is expected to be used from the command line you can use the desktop GUI to generate and test automation plans.

For more details see the Automation Framework page.

Report Generation

The new Report Generation add-on allows you to generate much more flexible reports with access to much more data. You can access the new reports via the “Generate Report…” toolbar button and Report menu item, as well as via the API and Automation Framework.

The previous reporting add-ons have been removed from the marketplace as they provide less functionality and are no longer maintained.

New report templates (including some winners of the Report competition) include:

  • Risk and Confidence HTML - the new default report
  • Modern HTML Report with themes and options
  • High Level Report Sample
  • Traditional HTML Report with requests and responses

OAST Support

The new OAST Support add-on allows you to find and exploit out-of-band vulnerabilities.

This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.


The new Retest add-on allows you to retest for presence/absence of previously generated alerts which means you can retest issues very quickly.

This add-on is alpha at the time of the 2.11.0 release but is expected to be updated soon, so check the help pages for the latest features.


The Docker stable and bare images will now be updated monthly, typically around the start of the month.

  • The updates will include any updated add-ons and any changes to the packaged scans.
  • No core changes will be included in these updates.
  • The images will be tagged by date in case you wish to stay on a specific version.
  • The packaged scans are being migrated to use the Automation Framework - this migration will continue over the life of 2.11.0.


A significant number of statistics have been added to the core, and are being added to add-ons. In part this is driven by the Automation Framework which can make direct use of statistics for sanity checks.

See the release notes for the new core statistics or the ZAP Internal Statistics page for the full list.

There are of course a large number of other enhancements and fixes which are detailed in the release notes.

Thank you to everyone who contributed to this release.