Automation Framework

The new Automation Framework will in time replace the Command Line and Packaged Scan options. It allows you to control ZAP via one YAML file and provides more flexibility while not being tied to any specific container technology.

The Automation Framework is included with the latest version of ZAP as well as the stable docker image. The framework is plugable and many of the existing add-ons have been enhanced to support it.

The framework is covered in the following ZAP Chat videos:

• ZAP Chat 07 Automation Framework Part 1 An introduction to the framework
• ZAP Chat 08 Automation Framework Part 2 Details on the environment, passiveScan-config job, and alertFilter job
• ZAP Chat 09 Automation Framework Part 3 Details on the requester job and replacer job
• ZAP Chat 10 Automation Framework Part 4 Details on the spider job and spiderAjax job
• ZAP Chat 11 Automation Framework Part 5 Details on the openapi, soap, and graphql jobs
• ZAP Chat 12 Automation Framework Part 6 Details on the passiveScan-wait, delay, and activeScan jobs
• ZAP Chat 16 Automation Framework Part 7 How to configure authentication using auto-detection

Framework Overview

For details of how to get started with the framework see the main framework help page.

The framework supports:

• environment - which defines all of the applications the plan can act on
• Authentication - all of the authentication mechanisms supported by ZAP
• Job Tests - which can be used to validate the outcome of jobs

The full set of jobs currently supported by the framework and other add-ons are:

• activeScan - runs the active scanner
• activeScan-config - configures the active scanner, for custom active scans (e.g. Sequence)
• activeScan-policy - defines an active scan policy
• alertFilter - alert filter configuration, provided with the Alert Filters add-on
• delay - waits for a specified time or until a condition is met
• exitStatus - sets ZAP’s exit code based on scan results
• export - allows you to export messages and the Sites Tree, provided with the Import/Export add-on
• graphql - GraphQL schema import, provided with the GraphQL add-on
• import - allows you to import files in various formats, provided with the Import/Export add-on
• openapi - OpenAPI definition import, provided with the OpenAPI add-on
• passiveScan-config - passive scan configuration
• passiveScan-wait - waits for the passive scanner to finish processing the current queue
• postman - Postman definition import, provided with the Postman add-on
• prune - The prune job allows you to remove nodes from the Sites Tree, provided with the Import/Export add-on
• replacer - replace strings in requests and responses
• report - report generation, provided with the Report Generation add-on
• requestor - sends specific requests to targets
• script - adds, removes and runs scripts, provided with the Script Console add-on
• sequence-activeScan - allows you to active scan sequences, provided with the Sequence add-on
• sequence-import - allows you to create a sequence from an HAR file, provided with the Sequence add-on
• soap - SOAP WSDL import, provided with the SOAP add-on
• spider - runs the traditional spider, provided with the Spider add-on
• spiderAjax - runs the ajax spider, provided with the Ajax Spider add-on
• spiderClient - allows you to run the client spider

For details of future changes planned see the tracker issue.

Updating Add-ons

The addOns job has been found to cause problems when updating add-ons which are defined in the current plan. This job has been depreciated and no longer does anything.

You can use the standard ZAP command line options with the AF -autorun option:

• -addoninstall <addOnId> to install an add-on
• -addonuninstall <addOnId> to uninstall an add-on
• -addonupdate to update all add-ons

You can use -addoninstall and -addonuninstall as many times as you need:

./zap.sh -addonupdate\
    -addoninstall example-1 \
    -addoninstall example-2 \
    -addonuninstall example-3 \
    -cmd -autorun zap.yaml <any other ZAP options>

Exit Value

If you run the framework from the command line then ZAP will by default exit with:

• 0: The plan ran without any problems reported
• 1: The plan failed with an error
• 2: The plan ran but there were warnings

The framework will exit with 2 if there are warnings even if the environment failOnWarning parameter is set to false.

The exitStatus job allows you to set ZAP’s exit code based on scan results.