Use ZAP with Flagger in Kubernetes

Posted Tuesday December 24, 2024 2150 Words

Learn how to integrate ZAP with Flagger in a Kubernetes cluster to scan the security of each new deployment.

Automated ZAP Scans for Orchard Core Apps

Posted Friday December 8, 2023 542 Words

If you have an app running on the ASP.NET Core web framework and CMS Orchard Core, you can now easily run ZAP scans for it.

ZAP Docker Images in GitHub Container Registry

Posted Tuesday June 13, 2023 146 Words

ZAP Docker images are now also published to the GitHub Container Registry.

Baseline Scan Changes

Posted Tuesday June 15, 2021 831 Words

Important information for anyone who uses the baseline scan in the Live or Weekly Docker images.

Diagnosing Docker Problems

Posted Monday January 1, 0001 770 Words

Docker is a great way to run ZAP in a CI/CD pipeline, but diagnosing problems can be tricky.

ZAP Cannot Connect to the Target

If ZAP cannot connect to your target app then the first thing to do is to see if this is a ‘Docker’ networking issue.

ZAP - API Scan

Posted Monday January 1, 0001 1181 Words

The ZAP API scan is a script that is available in the ZAP Docker images.

It is tuned for performing scans against APIs defined by OpenAPI, SOAP, or GraphQL via either a local file or a URL.

It imports the definition that you specify and then runs an Active Scan against the URLs found. The Active Scan is tuned to APIs, so it doesn’t bother looking for things like XSSs.

ZAP - Baseline Scan

Posted Monday January 1, 0001 1378 Words

The ZAP Baseline scan is a script that is available in the ZAP Docker images.

It runs the ZAP spider against the specified target for (by default) 1 minute and then waits for the passive scanning to complete before reporting the results.

This means that the script doesn’t perform any actual ‘attacks’ and will run for a relatively short period of time (a few minutes at most).

ZAP - Full Scan

Posted Monday January 1, 0001 619 Words

The ZAP full scan is a script that is available in the ZAP Docker images.

It runs the ZAP spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results.

This means that the script does perform actual ‘attacks’ and can potentially run for a long period of time.

Scan Hooks

To make it easy to make little tweaks here and there a hook system is in place to help you. It enables you to override or modify behaviour of the script components instead of having to write a new script.

Use Cases

Modifying Args
For the AJAX crawler you may want to target a suburl with a specific hash (http://example.com vs http://example.com/#/dashboard). You can use the zap_ajax_spider hook to intercept the arguments and modify them.

ZAP - Webswing Usage

Posted Monday January 1, 0001 483 Words

Starting with version 2.5.0 you can run the ZAP Desktop UI in your browser without having to install Java, thanks to the magic of Docker and Webswing

To do this you will just need Docker installed. Start the container with webswing support:

Stable:
- docker run -u zap -p 8080:8080 -p 8090:8090 -i ghcr.io/zaproxy/zaproxy:stable zap-webswing.sh
Weekly:
- docker run -u zap -p 8080:8080 -p 8090:8090 -i ghcr.io/zaproxy/zaproxy:weekly zap-webswing.sh

Then point your browser at:

ZAP Docker User Guide

Posted Monday January 1, 0001 1371 Words

Introduction

Docker image with Zed Attack Proxy preinstalled.

Please note that ZAP Docker images are available on Docker Hub as well as GitHub Container Registry (GHCR). While the docker run commands on this page use the Docker Hub images, either can be used interchangeably.

Details

Install Instructions

Stable

The stable image is updated whenever there is a ZAP full release. It is also regenerated monthly, typically on the first Monday of the month. The monthly updates pull in the latest base Docker image and also any updated ZAP add-ons - no ZAP ‘core’ changes are included.

Tag: Docker