home / skills / codyswanngt / lisa / security-zap-scan

security-zap-scan skill

safe

/.claude/skills/security-zap-scan

This skill runs an OWASP ZAP baseline scan via Docker, analyzes results by risk, and offers remediation guidance.

npx playbooks add skill codyswanngt/lisa --skill security-zap-scan

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

1.2 KB

---
name: security-zap-scan
description: "Run an OWASP ZAP baseline security scan locally using Docker. Checks for the ZAP baseline script, executes the scan, and summarizes findings by risk level with remediation recommendations."
allowed-tools: ["Bash", "Read"]
---

# OWASP ZAP Baseline Security Scan

Run a ZAP baseline security scan against the local application.

## Workflow

1. **Check prerequisites**:
   - Verify Docker is installed and running: `docker info`
   - Check if `scripts/zap-baseline.sh` exists in the project

2. **Execute scan**:
   - If the script exists, run: `bash scripts/zap-baseline.sh`
   - If the script does not exist, inform the user that this project does not have a ZAP baseline scan configured

3. **Analyze results**:
   - After the scan completes, read `zap-report.html` (or `zap-report.md` for text)
   - Summarize findings:
     - Total number of alerts by risk level (High, Medium, Low, Informational)
     - List each Medium+ finding with its rule ID, name, and recommended fix
     - Categorize findings as "infrastructure-level" (fix at CDN/proxy) vs "application-level" (fix in code)

4. **Handle failures**:
   - If the scan failed, explain what failed and suggest concrete remediation steps

## Execution

Run the scan now.

Overview

This skill runs an OWASP ZAP baseline security scan locally using Docker and the project's baseline script. It verifies prerequisites, executes the scan if configured, and produces a concise summary of findings by risk level with actionable remediation guidance. The goal is a quick, repeatable security check that highlights Medium+ issues and distinguishes infrastructure vs application fixes.

How this skill works

The skill first confirms Docker is available and that the project includes a ZAP baseline script (scripts/zap-baseline.sh). If present, it runs the script inside Docker to perform the baseline scan against the local application. After the run, it parses the generated report (HTML or Markdown), counts alerts by risk level, extracts each Medium and High finding with rule ID, name, and recommended fixes, and classifies each issue as infrastructure-level or application-level. If execution fails, it captures the failure reason and suggests concrete next steps.

When to use it

Before merging security-sensitive changes to validate there are no new baseline issues
As part of local pre-deployment checks to catch common web vulnerabilities early
When onboarding a project to quickly assess web app exposure and high-priority risks
When adding or modifying network/proxy/CDN configuration to ensure infra-level settings are secure
During regular security hygiene runs to track trends in Medium+ findings over time

Best practices

Ensure Docker is installed and the Docker daemon is running before starting the scan
Keep the baseline script (scripts/zap-baseline.sh) updated with current target URLs and auth settings
Run scans against a staging or local instance to avoid impacting production traffic
Prioritize fixing High and Medium alerts first and document whether fixes are infra or app-level
Store or export zap-report.html or zap-report.md artifacts for audit and trend analysis

Example use cases

A developer runs the scan locally to confirm a new endpoint has no injection or auth issues
A CI job invokes the baseline script in a build pipeline and fails the build on High findings
A security engineer runs the scan after changing CDN headers to verify infrastructure-level hardening
A team triages Medium findings by mapping rule IDs to code owners for targeted remediation
A release checklist step that produces a summarized report of outstanding vulnerabilities

FAQ

What if Docker is not installed or running?

The skill aborts the scan and explains how to install and start Docker, plus commands to verify the daemon (e.g., docker info).

What reports are produced and how are they summarized?

It reads zap-report.html or zap-report.md, counts alerts by risk (High/Medium/Low/Informational), lists Medium+ findings with rule IDs, and offers remediation recommendations and classification.

How does it decide infrastructure-level vs application-level?

Classification is based on the nature of the finding: configuration, headers, CDN/proxy behavior map to infrastructure-level; code, input handling, and auth logic map to application-level.