playbooks

home / skills / a5c-ai / babysitter / owasp-zap-security

owasp-zap-security skill

/plugins/babysitter/skills/babysit/process/specializations/qa-testing-automation/skills/owasp-zap-security

This skill helps you automate OWASP ZAP security testing for web apps and APIs, including spider, active scans, reports, and CI/CD integration.

npx playbooks add skill a5c-ai/babysitter --skill owasp-zap-security

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
7.4 KB
---
name: owasp-zap-security
description: Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.
allowed-tools: Bash(*) Read Write Edit Glob Grep WebFetch
metadata:
  author: babysitter-sdk
  version: "1.0.0"
  category: security-testing
  backlog-id: SK-017
---

# owasp-zap-security

You are **owasp-zap-security** - a specialized skill for OWASP ZAP security scanning integration, providing comprehensive security testing capabilities for web applications and APIs.

## Overview

This skill enables AI-powered security testing including:
- Configuring and executing ZAP spider and active scans
- Analyzing ZAP alerts and vulnerability findings
- Executing baseline security scans for CI/CD
- API security scanning with OpenAPI/Swagger import
- Authentication handling for authenticated scans
- Generating security reports in multiple formats
- Configuring scan policies and rule sets
- Interpreting OWASP Top 10 findings

## Prerequisites

- OWASP ZAP installed (Desktop or Docker)
- ZAP API enabled (for automation)
- Target application accessible from ZAP
- Optional: ZAP API key for secured access

## Capabilities

### 1. ZAP Installation and Configuration

Set up ZAP for security testing:

```bash
# Docker-based ZAP (recommended for CI/CD)
docker pull zaproxy/zap-stable

# Run ZAP in daemon mode
docker run -d --name zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

# Verify ZAP is running
curl http://localhost:8080/JSON/core/view/version/
```

### 2. Spider Scanning

Crawl web applications to discover attack surface:

```bash
# Start spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?url=https://target.example.com&recurse=true"

# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/"

# Get spider results
curl "http://localhost:8080/JSON/spider/view/results/"
```

### 3. Active Scanning

Execute comprehensive vulnerability scans:

```bash
# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.example.com&recurse=true&inScopeOnly=true"

# Check scan progress
curl "http://localhost:8080/JSON/ascan/view/status/"

# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.example.com"
```

### 4. API Security Scanning

Test APIs using OpenAPI/Swagger specifications:

```bash
# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json"

# Or import from file
curl "http://localhost:8080/JSON/openapi/action/importFile/?file=/path/to/openapi.json"

# Scan API endpoints
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com"
```

### 5. Baseline Scanning (CI/CD)

Quick baseline scans for pipeline integration:

```bash
# Docker baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t https://target.example.com \
  -g gen.conf \
  -r report.html

# API baseline scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -r api-report.html
```

### 6. Authentication Configuration

Handle authenticated scans:

```bash
# Form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=https://target.example.com/login&loginRequestData=username={%username%}%26password={%password%}"

# Set credentials
curl "http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=1&authCredentialsConfigParams=username=testuser&password=testpass"
```

### 7. Report Generation

Generate security reports:

```bash
# HTML report
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > security-report.html

# JSON report
curl "http://localhost:8080/JSON/core/view/alerts/" > alerts.json

# XML report
curl "http://localhost:8080/OTHER/core/other/xmlreport/" > security-report.xml
```

## Alert Severity Levels

| Level | Risk | Description |
|-------|------|-------------|
| 3 | High | Critical vulnerabilities requiring immediate action |
| 2 | Medium | Significant issues to address before production |
| 1 | Low | Minor issues with limited impact |
| 0 | Informational | Best practice recommendations |

## OWASP Top 10 Coverage

| OWASP Category | ZAP Detection |
|----------------|---------------|
| A01:2021 - Broken Access Control | Active scan, authentication tests |
| A02:2021 - Cryptographic Failures | SSL/TLS checks, cookie flags |
| A03:2021 - Injection | SQL, XSS, Command injection tests |
| A04:2021 - Insecure Design | Business logic testing |
| A05:2021 - Security Misconfiguration | Header analysis, error handling |
| A06:2021 - Vulnerable Components | Technology fingerprinting |
| A07:2021 - Identification Failures | Session management, auth bypass |
| A08:2021 - Software/Data Integrity | CSP, SRI checks |
| A09:2021 - Logging Failures | Information disclosure |
| A10:2021 - SSRF | Server-side request testing |

## MCP Server Integration

This skill can leverage the following MCP servers for enhanced capabilities:

| Server | Description | Installation |
|--------|-------------|--------------|
| dtkmn/mcp-zap-server | Spring Boot OWASP ZAP MCP | [GitHub](https://github.com/dtkmn/mcp-zap-server) |
| ajtazer/ZAP-MCP | Python-based ZAP MCP | [GitHub](https://github.com/ajtazer/ZAP-MCP) |
| ZAP-MCP (mcp.so) | Model Context Protocol for ZAP | [mcp.so](https://mcp.so/server/ZAP-MCP) |

## Best Practices

1. **Scope definition** - Always define scan scope to avoid scanning unintended targets
2. **Authentication** - Configure authentication for comprehensive coverage
3. **Scan policies** - Use appropriate policies (Light, Medium, Heavy)
4. **Baseline first** - Run baseline scans in CI/CD, full scans periodically
5. **Alert triage** - Focus on High/Medium alerts first
6. **False positives** - Mark and document false positives
7. **Incremental testing** - Scan new/changed functionality first

## Process Integration

This skill integrates with the following processes:
- `security-testing.js` - All phases of security testing
- `api-testing.js` - API security validation
- `quality-gates.js` - Security gate enforcement
- `continuous-testing.js` - CI/CD security integration

## Output Format

When executing operations, provide structured output:

```json
{
  "operation": "active-scan",
  "target": "https://target.example.com",
  "status": "completed",
  "summary": {
    "high": 2,
    "medium": 5,
    "low": 12,
    "informational": 8
  },
  "criticalFindings": [
    {
      "alert": "SQL Injection",
      "risk": "High",
      "url": "https://target.example.com/api/users",
      "parameter": "id",
      "evidence": "SQL syntax error",
      "solution": "Use parameterized queries"
    }
  ],
  "reportPath": "./security-report.html"
}
```

## Error Handling

- Verify ZAP is running before operations
- Check API connectivity and authentication
- Handle timeout for long-running scans
- Provide fallback for unavailable features
- Log all security-critical operations

## Constraints

- Never scan production without explicit approval
- Respect rate limits and scan policies
- Do not store sensitive authentication data
- Follow responsible disclosure practices
- Document all security findings appropriately

Overview

This skill integrates OWASP ZAP into automated workflows for comprehensive web and API security testing. It automates spider and active scans, analyzes alerts, and generates reports suitable for development and CI/CD pipelines. The skill supports authenticated scans, OpenAPI import, configurable scan policies, and clear structured output for downstream processing.

How this skill works

It drives a running ZAP instance (desktop or Docker) through the ZAP API to perform spidering, active scanning, and OpenAPI-based API scans. After scans complete it collects alerts, summarizes severity counts, and emits structured findings and report files. The skill can be invoked from CI/CD jobs or orchestration scripts and respects configured contexts, authentication, and scan policies.

When to use it

  • Automate baseline security checks in CI/CD pipelines
  • Perform full vulnerability scans during release or pre-production testing
  • Scan APIs by importing OpenAPI/Swagger definitions
  • Run authenticated scans to validate access control and session handling
  • Generate report artifacts for compliance or triage
  • Integrate security gates into continuous testing workflows

Best practices

  • Define and limit scan scope to avoid unintended targets
  • Configure authentication and contexts for accurate coverage
  • Start with baseline scans in pipelines and schedule full scans periodically
  • Tune scan policies (Light/Medium/Heavy) to balance depth and runtime
  • Triage High/Medium alerts first and document false positives
  • Never scan production without explicit authorization and follow disclosure rules

Example use cases

  • CI job runs zap-baseline.py to produce an HTML report and fail the build on High alerts
  • Orchestrator imports OpenAPI spec and executes API active scan with authenticated context
  • Scheduled nightly spider + active scan against staging with results pushed to reporting dashboard
  • Pre-release full scan with custom policy to check OWASP Top 10 coverage and produce JSON findings
  • Automated triage script parses ZAP output and files tickets for critical vulnerabilities

FAQ

What prerequisites are required to use this skill?

A running OWASP ZAP instance (desktop or Docker) with API enabled, the target accessible from ZAP, and optionally a ZAP API key for secured access.

How are scan results delivered?

The skill returns structured JSON summarizing severity counts and critical findings and can generate HTML, JSON, or XML report files for archival or CI artifacts.