Release 2.15.0

This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.14.0.

This release was made possible thanks to our biggest supporter, the Crash Override.

Some of the more significant enhancements include:

Scripts as First Class Scan Rules

Active and passive scan script rules can now be treated as “first class” scan rules. This means that they can be individually referenced in an active scan policy, in the passive scan rules options, and in Automation Framework plans. In addition directories of scripts can now be added with all of the scripts enabled - this will make it much more straightfoward to manage script rules in automation.

The desktop context sensitive menu items have been reordered, and grouped in a more logical way. This should make it much easier to find the menu item you want, when you want it.

Set Logging Levels

A new -loglevel Command Line option allows you to set the log level, overriding the values specified in the file in the home directory.

New API calls also allow you to set and view the current logging levels:

  • Action / core / setLogLevel : Sets the logging level for a given name
  • View / core / getLogLevel : Gets the detailed logging config, optionally filtered by name

Automation Framework GitHub Action

There is a new ZAP GitHub action - the ZAP Automation Framework Scan. The Automation Framework provides a great balance between ease of use and flexibility + functionality. If you want to perform any non-trivial automation with ZAP then the Automation Framework is probably your best bet.

New Docker Hub Organisation

We have a new DockerHub organisation for the ZAP Docker images: We are still using the softwaresecurityproject org for 2.15.0 but we will probably not use it for the following releases. We do recommend that you switch from `softwaresecurityproject` to zaproxy sooner rather than later.

Dependency Updates

As usual the release includes dependency updates.

The following libraries were updated:

  • Commons Codex, 1.16.0 → 1.16.1
  • Commons IO, 2.13.0 → 2.16.1
  • Commons Lang3, 3.13.0 → 3.14.0
  • Commons Logging, 1.2 → 1.3.1
  • Commons Text, 1.10.0 → 1.12.0
  • Flatlaf, 3.2.1 → 3.4.1
  • Java Semver, 0.9.0 → 0.10.2
  • Rsyntaxtextarea, 3.3.4 → 3.4.0


Updated Add-Ons

All of the add-ons included by default have been updated since the last full release.


  • Issue 4275 : Allow to view/change logger levels through the API
  • Issue 7105 : Scripts as First Class Scan Rules
  • Issue 7575 : Add an “Enable all scripts” option to Options->Scripts screen
  • Issue 8135 : Guard against param panels’ errors during init
  • Issue 8136 : Keep Import Menu Items Sorted Alphabetically
  • Issue 8150 : Increase search border highlights
  • Issue 8162 : Add stat for uncaught exceptions
  • Issue 8179 : Drop “to Clipboard” from ZAP copy menu items (etc)
  • Issue 8188 : Allow to hook param panels with parents
  • Issue 8190 : alert: Add CWE Alert Tag when building and CWE ID has been set
  • Issue 8198 : URL Path Input Vector - attack end path too
  • Issue 8203 : Option to encode cookie values
  • Issue 8210 : Warn of root user usage and report core count and max memory on start up
  • Issue 8248 : Include cores and max memory in Support Info
  • Issue 8265 : Deprecate Script Scan Rules and related classes
  • Issue 8274 : Improve logs related to loading of pscanrules
  • Issue 8283 : Anti-CSRF Handling should always account for partial matching
  • Issue 8295 : Allow setting the log level via a CLI argument
  • Issue 8332 : tech: Add MariaDB
  • Issue 8369 : Restructure the desktop menu item order
  • Issue 8393 : Allow to search HTTP messages by Tags
  • Issue 8403 : ZAP not printing script errors to console in cmdline mode with `-script`
  • Issue 8423 : Add TAGs for yaml, xml, extended json
  • Issue 8452 : Support decode response body through the `Variant`
  • Issue 8454 : Include pluginId in alert events

Bug fixes

  • Issue 6292 : Including main technology through the API does not include their specific technologies
  • Issue 8018 : Some characters not displayed in the Language combo box
  • Issue 8147 : Multipart Form Params - Extract boundary from body if not in header
  • Issue 8166 : scripts: Synchronize contents and file methods
  • Issue 8182 : Fix for macOS
  • Issue 8252 : Use name of enum as default value for configs
  • Issue 8275 : Button Text is not fully shown in Add Note Dialog
  • Issue 8298 : Prevent NPE if no user creds
  • Issue 8302 : Fix context inclusion issues
  • Issue 8357 : Correct name of hosts without children
  • Issue 8395 : Add missing API error message
  • Issue 8419 : Prevent raising alerts on temporary messages
  • Issue 8429 : Skip deleted msgs in the messages API endpoints
  • Issue 8467 : Get resources from add-ons

See Also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible