The new Automation Framework will in time replace the Command Line and Packaged Scan options. It allows you to control ZAP via one YAML file and provides more flexibility while not being tied to any specific container technology.
The Automation Framework is included with the latest version of ZAP as well as the stable docker image. The framework is plugable and many of the existing add-ons have been enhanced to support it.
Important: if you run the framework from the command line you should not use the
-addonupdate option or
updateAddOns option - this has been found to cause
problems when updating add-ons which are defined in the current plan.
The recommended approach is to run ZAP inline once to update all of the add-ons and then again to run the plan, e.g.:
./zap.sh -cmd -addonupdate ./zap.sh -cmd -autorun zap.yaml <any other ZAP options>
If you are using the framework in the ZAP stable docker image then the recommended approach is to run ZAP in this way:
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh -cmd -autorun /zap/wrk/zap.yaml"
The weekly and live docker images are less likely to be out of date but if you want to use an add-on which has been updated since they were released then you should use the same sort of command.
A longer term solution is being worked on.
For details of how to get started with the framework see the main framework help page.
The framework supports:
- environment - which defines all of the applications the plan can act on
- Authentication - all of the authentication mechanisms supported by ZAP
- Job Tests - which can be used to validate the outcome of jobs
The full set of jobs currently supported by the framework and other add-ons are:
- activeScan - runs the active scanner
- addOns - add-on management
- alertFilter - alert filter configuration, provided with the Alert Filters add-on
- delay - waits for a specified time or until a condition is met
- graphql - GraphQL schema import, provided with the GraphQL add-on
- import - allows you to import HAR(HTTP Archive File), ModSecurity2 Logs, ZAP Messages or a file containing URLs locally
- openapi - OpenAPI definition import, provided with the OpenAPI add-on
- passiveScan-config - passive scan configuration
- passiveScan-wait - waits for the passive scanner to finish processing the current queue
- report - report generation, provided with the Report Generation add-on
- requestor - sends specific requests to targets
- script - adds, removes and runs scripts
- soap - SOAP WSDL import, provided with the SOAP add-on
- spider - runs the traditional spider
- spiderAjax - runs the ajax spider, provided with the Ajax Spider add-on
For details of future changes planned see the tracker issue.