docker-compose up -d go run *.go
The ZAP proxy is available at:
ZAP Baseline Scan
This will run the baseline scan as configured in
The results are written out to
./reports/. You can use jq to extract various information from the
jq '.site.alerts | "\(.name) \t[\(.riskdesc)]"' ./reports/zap-baseline-example.com.json
If you want to use the ZAP WebSwing UI, you will have to:
- Change the
zaproxyservice in the ``docker-compose.yml
file to use theowasp/zap2docker-stable` image
- Change the
zaproxycommand to call
Once everything is started up, you can then access the UI at:
Note: It seems that enabling this will break any 'normal' port/proxy capability, including the API. It also seems as though the run script for this doesn't allow command line arguments to be passed to the proxy itself.
- You can scan the hackables using their 'docker-compose service name' and 'internal port' (as this is from the perspective of the ZAP container), eg.
zaproxycontainer logs show error 'URL Not Found in the Scan Tree'
- You need to access/spider a URL before you can scan it.
- You may have tried to scan a
127.0.0.1URL, which is going to reference the ZAP container.. not the local machine.
main.goproduces an error such as
spider error: invalid character '<' looking for beginning of value
- You're probably running the WebUI version, which seems incompatible with the API..