Skip to content
Playing around with OWASP ZAP API's and Automation
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Playing around with OWASP ZAP automation using zaproxy/zap-api-go.


docker-compose up -d
go run *.go

The ZAP proxy is available at:

ZAP Baseline Scan

This will run the baseline scan as configured in docker-compose-run.yml:


The results are written out to ./reports/. You can use jq to extract various information from the json output:

jq '.site.alerts[] | "\(.name) \t[\(.riskdesc)]"' ./reports/

Web UI

If you want to use the ZAP WebSwing UI, you will have to:

  • Change the zaproxy service in the ``docker-compose.ymlfile to use theowasp/zap2docker-stable` image
  • Change the zaproxy command to call

Once everything is started up, you can then access the UI at:

Note: It seems that enabling this will break any 'normal' port/proxy capability, including the API. It also seems as though the run script for this doesn't allow command line arguments to be passed to the proxy itself.


Potential Issues

  • You can scan the hackables using their 'docker-compose service name' and 'internal port' (as this is from the perspective of the ZAP container), eg.
    • http://bodgeit:8080/bodgeit/
    • http://juiceshop:3000
  • zaproxy container logs show error 'URL Not Found in the Scan Tree'
    • You need to access/spider a URL before you can scan it.
    • You may have tried to scan a URL, which is going to reference the ZAP container.. not the local machine.
  • main.go produces an error such as spider error: invalid character '<' looking for beginning of value
    • You're probably running the WebUI version, which seems incompatible with the API..
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.