OWASP ZAP Tool Integration
Integrating OWASP ZAP with other security tools, CI/CD pipelines, and development workflows
OWASP ZAP can be integrated with various security tools, development workflows, and CI/CD pipelines to create a comprehensive security testing ecosystem. This guide covers key integration approaches and best practices.
Integration with Security Tools
Burp Suite Integration
Combine ZAP with Burp Suite for comprehensive testing:
-
Complementary Usage:
- Use ZAP for automation and CI/CD integration
- Use Burp Suite for manual testing
- Share findings between tools
- Leverage strengths of each tool
-
Integration Methods:
- Use ZAP as upstream proxy for Burp
- Export/import scan results between tools
- Compare findings for validation
- Use both tools in parallel testing workflows
-
Configuration Example:
- Configure ZAP to listen on port 8080
- Configure Burp to use upstream proxy at 127.0.0.1:8080
- Traffic flows through ZAP first, then Burp
- Both tools can analyze the same traffic
CI/CD Integration
1
Jenkins Integration
Integrate ZAP with Jenkins:
- Install the "OWASP ZAP Scanner" plugin in Jenkins
- Configure a Jenkins pipeline:
pipeline {
agent any
stages {
stage('ZAP Security Tests') {
steps {
// Start ZAP in daemon mode
sh 'docker run -d --name zap -u zap -p 2375:2375 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 2375 -config api.disablekey=true'
// Run application tests with ZAP proxy
sh 'APP_PROXY=http://localhost:2375 npm test'
// Run ZAP active scan
sh 'docker exec zap zap-cli -p 2375 active-scan --scanners xss,sqli http://target-application'
// Generate report
sh 'docker exec zap zap-cli -p 2375 report -o /home/zap/report.html -f html'
// Copy report from container
sh 'docker cp zap:/home/zap/report.html ./zap-report.html'
}
post {
always {
// Publish HTML report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'zap-report.html',
reportName: 'ZAP Security Report'
])
// Stop ZAP container
sh 'docker stop zap && docker rm zap'
}
}
}
}
}
2
GitHub Actions Integration
Integrate ZAP with GitHub Actions:
name: OWASP ZAP Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
zap_scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: ZAP Scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'https://www.example.com'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
- name: Upload ZAP Report
uses: actions/upload-artifact@v2
with:
name: ZAP Report
path: reports/
Create a .zap/rules.tsv file to customize the scan:
10016 IGNORE (Modern Web Application)
10020 IGNORE (X-Frame-Options Header)
3
GitLab CI Integration
Integrate ZAP with GitLab CI:
stages:
- build
- test
- security
- deploy
zap_security_scan:
stage: security
image: owasp/zap2docker-stable
variables:
TARGET_URL: "https://example.com"
script:
- mkdir -p /zap/wrk/
- zap-baseline.py -t $TARGET_URL -g gen.conf -r zap-report.html
artifacts:
paths:
- zap-report.html
expire_in: 1 week
allow_failure: true
Issue Tracking Integration
Jira Integration
Integrate ZAP findings with Jira:
-
Setup:
- Install the "OWASP ZAP - Jira" add-on
- Configure Jira connection details in ZAP
- Set up issue creation templates
-
Configuration:
- Go to Tools > Options > Jira
- Enter Jira URL, API token, and project key
- Configure issue type and field mappings
- Set up severity mapping
-
Usage:
- Right-click on an alert in ZAP
- Select "Create Jira Issue"
- Review and customize the issue details
- Submit to create the Jira issue
- Track issues through Jira dashboard
Development Workflow Integration
1
IDE Integration
Integrate ZAP with development environments:
-
Browser Developer Tools:
- Use ZAP as proxy with browser dev tools
- Analyze requests and responses
- Debug security issues in real-time
- Test fixes immediately
-
IDE Plugins:
- Use ZAP extensions for popular IDEs
- View security findings in IDE
- Navigate to vulnerable code
- Fix issues without leaving IDE
-
Local Development:
- Run ZAP locally during development
- Configure local applications to use ZAP proxy
- Test security during feature development
- Implement security-by-design approach
2
Pre-commit Hooks
Implement security checks before code commits:
- Set up pre-commit hooks for security testing:
#!/bin/bash
# Pre-commit hook for security testing
# Run ZAP API scan on local service
zap-api-scan.py -t http://localhost:8080/api -f openapi -r pre-commit-report.html
# Check for high alerts
if grep -q "High Alerts: [1-9]" pre-commit-report.html; then
echo "Security issues found! See pre-commit-report.html for details."
exit 1
fi
exit 0
- Install the hook in your repository:
cp pre-commit-hook.sh .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
3
Developer Training
Use ZAP for security training:
-
Security Workshops:
- Use ZAP to demonstrate vulnerabilities
- Show real-time exploitation and mitigation
- Create hands-on training exercises
- Build security awareness
-
Security Champions:
- Train security champions on ZAP usage
- Implement peer security reviews
- Create security testing guidelines
- Build security expertise within teams
-
Self-Service Security:
- Provide developers with ZAP training
- Create security testing playbooks
- Implement security testing templates
- Encourage proactive security testing
API Integration
ZAP REST API
Use ZAP's REST API for custom integrations:
-
API Basics:
- ZAP provides a comprehensive REST API
- Access via http://zap-address:port/JSON/
- API key required for most operations
- Supports JSON and XML formats
-
Key Endpoints:
/JSON/core/view/alerts: Get current alerts/JSON/ascan/action/scan: Start active scan/JSON/spider/action/scan: Start spider/JSON/pscan/view/scanners: View passive scanners
-
Example API Usage:
# Start a spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?apikey=12345&url=https://example.com&recurse=true"
# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/?apikey=12345"
# Start an active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?apikey=12345&url=https://example.com&recurse=true"
# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?apikey=12345&baseurl=https://example.com"
Docker Integration
1
Basic Docker Usage
Use ZAP Docker containers for testing:
# Run ZAP in headless mode
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://example.com -r report.html
# Run ZAP with web UI
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.sh
# Run ZAP API scan
docker run -t owasp/zap2docker-stable zap-api-scan.py -t https://example.com/api/swagger.json -f openapi
# Run ZAP full scan
docker run -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com
2
Docker Compose Integration
Create a Docker Compose setup for ZAP and your application:
# docker-compose.yml
version: '3'
services:
webapp:
build: .
ports:
- "8080:8080"
networks:
- security-net
zap:
image: owasp/zap2docker-stable
command: zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
ports:
- "8090:8090"
networks:
- security-net
volumes:
- ./reports:/zap/reports
security-tests:
image: owasp/zap2docker-stable
command: >
zap-baseline.py -t http://webapp:8080
-r /reports/zap-report.html
-z "-config api.disablekey=true"
networks:
- security-net
volumes:
- ./reports:/reports
depends_on:
- webapp
- zap
networks:
security-net:
3
Custom Docker Images
Create custom ZAP Docker images for specific needs:
# Dockerfile for custom ZAP image
FROM owasp/zap2docker-stable
# Install additional tools
RUN apt-get update && apt-get install -y \
python3-pip \
curl \
jq
# Install Python dependencies
RUN pip3 install requests python-owasp-zap-v2.4 pytest
# Add custom scripts
COPY scripts/ /zap/scripts/
RUN chmod +x /zap/scripts/*.py /zap/scripts/*.sh
# Add custom ZAP configuration
COPY config/config.xml /home/zap/.ZAP/config.xml
# Set working directory
WORKDIR /zap
# Default command
ENTRYPOINT ["/zap/scripts/custom-entrypoint.sh"]
Advanced Integration Scenarios
DevSecOps Pipeline Integration
Create a comprehensive DevSecOps pipeline with ZAP:
-
Multi-Stage Testing:
- Run baseline scans during development
- Perform API testing during integration
- Execute full scans before production
- Implement continuous monitoring
-
Quality Gates:
- Define security quality gates
- Block deployments for critical issues
- Implement risk-based approvals
- Track security debt over time
-
Example Pipeline Flow:
- Developer commits code
- SAST tools analyze code
- Build and deploy to test environment
- ZAP performs API and baseline testing
- Security review for medium/high issues
- Deploy to staging environment
- ZAP performs full scan
- Security sign-off
- Deploy to production
- Continuous monitoring with ZAP
Next Steps
Now that you understand OWASP ZAP tool integration, explore these related topics:
- Automation - Learn more about automating ZAP
- API Security Testing - Test API security with ZAP
- Custom Rules - Create custom scan rules
- Best Practices - Best practices for effective and ethical use of ZAP