OWASP ZAP — DAST Scanning

OWASP ZAP (Zed Attack Proxy) is the world's most widely used open-source DAST (Dynamic Application Security Testing) tool. It automatically discovers and tests web applications for security vulnerabilities — SQL injection, XSS, security misconfiguration, and more. Integrating ZAP into your CI/CD pipeline provides automated security regression on every build.

35 min•By Priygop Team•Updated 2026

OWASP ZAP Setup and Automated Scanning

# ══════════════════════════════════════════════════════════════
# OWASP ZAP — Two modes of operation
# 1. GUI Mode: For interactive security exploration (learning/discovery)
# 2. Daemon/Headless Mode: For CI/CD automated scanning
# ══════════════════════════════════════════════════════════════

# ── DOCKER-BASED ZAP SCAN (simplest CI integration) ───────────
# Run a baseline scan on your staging environment:
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py     -t https://staging.myapp.com     -g gen.conf     -r zap-baseline-report.html

# Full active scan (more aggressive — use only in isolated test env):
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py     -t https://staging.myapp.com     -r zap-full-scan-report.html

# API scan (using OpenAPI/Swagger definition):
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py     -t https://staging.myapp.com/api/swagger.json     -f openapi     -r zap-api-report.html

# ── GITHUB ACTIONS ZAP INTEGRATION ────────────────────────────
name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.12.0
        with:
          target: 'https://staging.myapp.com'
          rules_file_name: '.zap/rules.tsv'   # Configure alert rules
          cmd_options: '-a'                    # Include alpha passive rules
          fail_action: true                    # Fail CI on HIGH risk alerts

# ── PROGRAMMATIC ZAP SCANNING (Python) ────────────────────────
# pip install python-owasp-zap-v2.4
from zapv2 import ZAPv2
import time

def run_security_scan(target_url):
    zap = ZAPv2(apikey='your-zap-api-key', 
                proxies={'http': 'http://127.0.0.1:8080', 
                         'https': 'http://127.0.0.1:8080'})
    
    print(f"Starting spider on {target_url}")
    scan_id = zap.spider.scan(target_url)
    
    # Wait for spider to complete
    while int(zap.spider.status(scan_id)) < 100:
        print(f"Spider progress: {zap.spider.status(scan_id)}%")
        time.sleep(2)
    
    print("Spider complete. Starting active scan...")
    ascan_id = zap.ascan.scan(target_url)
    
    # Wait for active scan
    while int(zap.ascan.status(ascan_id)) < 100:
        print(f"Active scan: {zap.ascan.status(ascan_id)}%")
        time.sleep(5)
    
    # Get alerts (vulnerabilities found)
    alerts = zap.core.alerts(target_url)
    
    # Categorize by risk level
    high_risk = [a for a in alerts if a['risk'] == 'High']
    medium_risk = [a for a in alerts if a['risk'] == 'Medium']
    
    print(f"RESULTS: {len(high_risk)} HIGH, {len(medium_risk)} MEDIUM alerts")
    
    # Fail if any HIGH risk vulnerabilities found
    assert len(high_risk) == 0, f"HIGH risk vulnerabilities found: {high_risk}"
    
    return alerts

Common Mistakes

Running ZAP active scan against production — active scans make real requests that change data; ALWAYS run on isolated staging environment only
Not authenticating ZAP — unauthenticated scans miss vulnerabilities behind login; configure ZAP with session handling to test authenticated endpoints
Failing CI on ALL ZAP alerts — ZAP finds false positives; create a rules file (.zap/rules.tsv) to suppress known false positives before failing the build
ZAP as the only security testing — ZAP is excellent for known vulnerability patterns but misses business logic flaws; always combine with manual auth/authz testing

Tip

Practice OWASP ZAP DAST Scanning in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.

Diagram

Loading diagram…

Write test first → make it pass → clean up → repeat

Practice Task

Note

Practice Task — (1) Write a working example of OWASP ZAP DAST Scanning from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.

Quick Quiz

Common Mistake

Warning

A common mistake with OWASP ZAP DAST Scanning is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready software testing code.

Key Takeaways

OWASP ZAP (Zed Attack Proxy) is the world's most widely used open-source DAST (Dynamic Application Security Testing) tool.
Running ZAP active scan against production — active scans make real requests that change data; ALWAYS run on isolated staging environment only
Not authenticating ZAP — unauthenticated scans miss vulnerabilities behind login; configure ZAP with session handling to test authenticated endpoints
Failing CI on ALL ZAP alerts — ZAP finds false positives; create a rules file (.zap/rules.tsv) to suppress known false positives before failing the build

Topics in This Module

OWASP ZAP — DAST Scanning

35 min•By Priygop Team•Updated 2026

OWASP ZAP Setup and Automated Scanning

# ══════════════════════════════════════════════════════════════
# OWASP ZAP — Two modes of operation
# 1. GUI Mode: For interactive security exploration (learning/discovery)
# 2. Daemon/Headless Mode: For CI/CD automated scanning
# ══════════════════════════════════════════════════════════════

# ── DOCKER-BASED ZAP SCAN (simplest CI integration) ───────────
# Run a baseline scan on your staging environment:
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py     -t https://staging.myapp.com     -g gen.conf     -r zap-baseline-report.html

# Full active scan (more aggressive — use only in isolated test env):
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py     -t https://staging.myapp.com     -r zap-full-scan-report.html

# API scan (using OpenAPI/Swagger definition):
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py     -t https://staging.myapp.com/api/swagger.json     -f openapi     -r zap-api-report.html

# ── GITHUB ACTIONS ZAP INTEGRATION ────────────────────────────
name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.12.0
        with:
          target: 'https://staging.myapp.com'
          rules_file_name: '.zap/rules.tsv'   # Configure alert rules
          cmd_options: '-a'                    # Include alpha passive rules
          fail_action: true                    # Fail CI on HIGH risk alerts

# ── PROGRAMMATIC ZAP SCANNING (Python) ────────────────────────
# pip install python-owasp-zap-v2.4
from zapv2 import ZAPv2
import time

def run_security_scan(target_url):
    zap = ZAPv2(apikey='your-zap-api-key', 
                proxies={'http': 'http://127.0.0.1:8080', 
                         'https': 'http://127.0.0.1:8080'})
    
    print(f"Starting spider on {target_url}")
    scan_id = zap.spider.scan(target_url)
    
    # Wait for spider to complete
    while int(zap.spider.status(scan_id)) < 100:
        print(f"Spider progress: {zap.spider.status(scan_id)}%")
        time.sleep(2)
    
    print("Spider complete. Starting active scan...")
    ascan_id = zap.ascan.scan(target_url)
    
    # Wait for active scan
    while int(zap.ascan.status(ascan_id)) < 100:
        print(f"Active scan: {zap.ascan.status(ascan_id)}%")
        time.sleep(5)
    
    # Get alerts (vulnerabilities found)
    alerts = zap.core.alerts(target_url)
    
    # Categorize by risk level
    high_risk = [a for a in alerts if a['risk'] == 'High']
    medium_risk = [a for a in alerts if a['risk'] == 'Medium']
    
    print(f"RESULTS: {len(high_risk)} HIGH, {len(medium_risk)} MEDIUM alerts")
    
    # Fail if any HIGH risk vulnerabilities found
    assert len(high_risk) == 0, f"HIGH risk vulnerabilities found: {high_risk}"
    
    return alerts

Common Mistakes

Running ZAP active scan against production — active scans make real requests that change data; ALWAYS run on isolated staging environment only

Not authenticating ZAP — unauthenticated scans miss vulnerabilities behind login; configure ZAP with session handling to test authenticated endpoints

Failing CI on ALL ZAP alerts — ZAP finds false positives; create a rules file (.zap/rules.tsv) to suppress known false positives before failing the build

ZAP as the only security testing — ZAP is excellent for known vulnerability patterns but misses business logic flaws; always combine with manual auth/authz testing

Tip

Practice OWASP ZAP DAST Scanning in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.

Diagram

Loading diagram…

Write test first → make it pass → clean up → repeat

Topics in This Module