Skip to content


Repository files navigation

ZAP Plugin for SonarQube

Build Status Codacy Badge Maintainability DepShield Badge Known Vulnerabilities deepcode

Integrates OWASP ZAP reports into SonarQube 7.9.6 LTS or higher. The current LTS version of SonarQube is the target.

About ZAP

OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

People with a wide range of security experience can use ZAP and making it ideal for developers and functional testers new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.


Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.

Plugin Configuration

A typical SonarQube configuration will have the following parameters. This example assumes the use of a Jenkins workspace, but can easily be altered for other CI/CD systems.

# Optional - specifies additional rules outside of what's included in the core


The ZAP SonarQube Plugin is derived from the OWASP Dependency-Check SonarQube Plugin. Version 1.0 of the Dependency-Check plugin was forked by @polymont with the intent of creating a generic OWASP SonarQube plugin to support any OWASP project. The ZAP team wanted their own SonarQube plugin independent of any other project. In addition, a number of critical defects were discovered in the initial release of the Dependency-Check SonarQube plugin that were later fixed in subsequent releases, but never addressed in the generic OWASP version. The ZAP SonarQube Plugin is based on v1.0.3 of the Dependency-Check SonarQube plugin with ZAP-specific contributions by @polymont.


Permission to modify and redistribute is granted under the terms of the LGPLv3 license.