OWASP ZAP Executor¶
Category: Web Application Scanners
Script: zap.py
Integration: Python API (python-owasp-zap-v2.4)
Faraday Plugin: ZapPlugin
Website: https://www.zaproxy.org/
Description¶
Connects to a running OWASP ZAP instance via its Python API, initiates a spider scan against a target URL, waits for completion, generates an XML report, and parses it into Faraday.
Prerequisites¶
- OWASP ZAP installed and running as a daemon or service
- ZAP API key generated (ZAP > Tools > Options > API)
- Python package:
python-owasp-zap-v2.4 - Python package:
psutil
Configuration¶
Environment Variables (Setup)¶
| Variable | Required | Description |
|---|---|---|
ZAP_API_KEY |
Yes | ZAP API authentication key |
Execution Arguments¶
| Parameter | Type | Mandatory | Description |
|---|---|---|---|
TARGET_URL |
url | Yes | Target URL to scan (e.g., https://example.com) |
YAML Configuration Example¶
executors:
zap_scan:
repo_executor: zap.py
max_size: 65536
varenvs:
ZAP_API_KEY: "${ZAP_API_KEY}"
params:
TARGET_URL:
mandatory: true
type: url
base: string
How It Works¶
- Connects to the ZAP API using
zapv2.ZAPv2with the provided API key - Initiates a spider scan against the target URL
- Polls the spider status until scan progress reaches 100%
- Generates an XML report from the scan results
- Parses the XML through
ZapPluginand outputs Faraday JSON
Notes¶
- ZAP must be running before the executor starts; the executor does not launch ZAP
- The executor runs a spider scan (crawling + passive scanning); active scanning must be triggered separately in ZAP
- ZAP typically listens on
localhost:8080by default