OWASP ZAP Scanner Guide: Installation, Spidering, Active Scan, and CI/CD Integration

OWASP ZAP Scanner Guide: Installation, Spidering, Active Scan, and CI/CD Integration

OWASP ZAP (Zed Attack Proxy) is the world's most widely used open-source web application security scanner, maintained by the Open Web Application Security Project. Whether you are a developer running security checks locally or a DevSecOps engineer integrating automated scanning into a pipeline, ZAP offers a flexible, powerful, and free solution.

<div class="zf-stat-callout" style="background:#0d1117;border:1px solid rgba(16,185,129,0.25);border-left:3px solid #10b981;border-radius:4px;padding:16px 20px;margin:24px 0"> <p style="margin:0 0 4px;font-size:10px;font-weight:700;text-transform:uppercase;letter-spacing:0.15em;color:#10b981;font-family:monospace">ZeriFlow Data — 12,400+ sites analyzed</p> <p style="margin:0;font-size:13px;color:#e2e8f0;line-height:1.6;font-family:monospace">In ZeriFlow's corpus of 12,400+ scanned sites, 72% score below 70/100 on security. Only 7% achieve a score above 85 — a threshold that corresponds to passing all OWASP-aligned header and configuration checks.</p> </div>

This guide walks through everything: installation, configuring the spider, running active scans, interpreting results, and integrating ZAP into CI/CD pipelines. We will also compare ZAP with ZeriFlow to help you understand which tool fits which use case.

Start with a baseline: Before configuring ZAP, run a free ZeriFlow scan on your target URL. ZeriFlow's 80+ automated checks will surface header and configuration issues instantly — giving ZAP more focused scope.

What Is OWASP ZAP and Who Is It For?

OWASP ZAP is an intercepting proxy and active vulnerability scanner. It can:

• Act as a man-in-the-middle proxy between your browser and the target application.
• Automatically spider (crawl) web applications to discover all endpoints.
• Run active scans to detect vulnerabilities like XSS, SQLi, path traversal, and CSRF.
• Generate detailed reports in HTML, XML, JSON, and Markdown.
• Run headlessly via Docker for CI/CD automation.

ZAP is ideal for: - Developers who want to shift security left without buying commercial tools. - QA engineers adding security tests to existing test suites. - DevSecOps teams integrating DAST into pipelines.

Installing OWASP ZAP

Desktop Installation

Download ZAP from zaproxy.org/download. Packages are available for: - Windows (installer) - macOS (DMG) - Linux (snap, or portable ZIP)

ZAP requires Java 11+, though the packaged installers include a bundled JRE.

Docker Installation (Recommended for CI/CD)

docker pull ghcr.io/zaproxy/zaproxy:stable

The Docker image is the preferred way to run ZAP in automated environments — no GUI required, easy to pin to a version.

Core ZAP Concepts

The Spider

ZAP's spider crawls your application to discover all URLs. It works by: 1. Starting from a seed URL. 2. Parsing HTML, JavaScript, and forms to find links. 3. Adding discovered URLs to the scan scope.

The Ajax Spider is a second crawler that launches a real browser (via Selenium) to handle JavaScript-heavy SPAs that the traditional spider misses.

The Active Scanner

After spidering, ZAP's active scanner sends crafted payloads to every discovered endpoint, testing for: - SQL injection - Cross-site scripting (XSS) - Path traversal - Server-side template injection - Insecure redirects - And dozens more vulnerabilities from the OWASP Top 10.

Passive Scanning

ZAP passively analyzes all traffic passing through its proxy, flagging issues without sending additional requests. This is safe to run against production environments.

Running Your First ZAP Scan

GUI Quick Start

1. 1Launch ZAP and select 'Automated Scan' from the Quick Start tab.
2. 2Enter your target URL.
3. 3Click 'Attack' — ZAP will spider and then actively scan.
4. 4Review findings in the Alerts tab.

CLI Scan via Docker

docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py   -t https://your-target.com   -r zap-report.html

ZAP provides three built-in scan scripts: - zap-baseline.py — Passive scan only, safe for production. - zap-full-scan.py — Full active scan, not safe for production. - zap-api-scan.py — Scan REST/GraphQL APIs using an OpenAPI spec.

Integrating OWASP ZAP into CI/CD Pipelines

GitHub Actions Example

name: ZAP Security Scan
on: [push]
jobs:
  zap_scan:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.10.0
        with:
          target: 'https://your-staging-url.com'
          fail_action: true
          issue_title: 'ZAP Security Findings'

The zaproxy/action-baseline GitHub Action runs a passive scan and can optionally open a GitHub Issue with findings.

GitLab CI Example

zap_scan:
  image: ghcr.io/zaproxy/zaproxy:stable
  script:
    - zap-baseline.py -t $STAGING_URL -r gl-dast-report.html
  artifacts:
    paths:
      - gl-dast-report.html

Best Practices for CI/CD Integration

• Run baseline (passive) scans on every PR — safe, fast, no false-positive-heavy results.
• Run active scans on staging only — never against production; active scans modify state.
• Use authentication scripts — ZAP supports scripted login flows so it can scan authenticated pages.
• Set alert thresholds — Configure fail_action to break the build only on High severity findings.

Interpreting ZAP Results

ZAP categorizes alerts by confidence and risk:

Confidence (False Positive, Low, Medium, High, Confirmed) tells you how certain ZAP is about each finding. Start with High Risk / High Confidence findings.

Common ZAP Configuration Tips

• Context and authentication: Define a context for your app and add an authentication method (form-based, HTTP Basic, script-based) so ZAP can scan behind login pages.
• Scope: Set the scope carefully so ZAP does not spider third-party domains linked from your app.
• Scan policy: Tune the active scan policy to enable/disable specific test categories. Disable denial-of-service tests in most environments.
• Ajax Spider for SPAs: Always use the Ajax Spider for React, Angular, or Vue applications — the traditional spider misses dynamically loaded content.

FAQ

Q: Is OWASP ZAP safe to run against production?

A: The passive scan (baseline) is safe — it only observes traffic and does not send attack payloads. The active scan sends crafted inputs and can modify data, so it should only be run against staging or test environments with explicit authorization.

Q: How is ZAP different from ZeriFlow?

A: ZAP is a full DAST scanner requiring setup, configuration, and authentication scripting for complex apps. ZeriFlow is a configuration-focused scanner that runs 80+ checks (headers, TLS, exposed paths) in seconds with zero setup. ZeriFlow is ideal for fast feedback in development; ZAP is better for comprehensive automated testing in a dedicated security pipeline.

Q: Can ZAP scan REST APIs?

A: Yes. Use zap-api-scan.py with an OpenAPI/Swagger specification file. ZAP will discover all API endpoints from the spec and test them systematically.

Q: How long does a ZAP active scan take?

A: It depends on the number of endpoints and the scan policy. A small app with 50 pages might take 10-20 minutes. A large application with hundreds of pages and parameters can take several hours. Running scans in parallel and limiting scope helps reduce time.

Q: What authentication methods does ZAP support?

A: ZAP supports form-based authentication, HTTP Basic/Digest, OAuth 2.0 token injection, and custom script-based authentication. For modern apps using JWT or OAuth, script-based auth gives you full flexibility.

OWASP ZAP vs. ZeriFlow: Which Should You Use?

The ideal stack uses both: ZeriFlow for continuous lightweight checks on every deploy, ZAP for deeper scanning in a dedicated security pipeline stage.

Conclusion: ZAP Is a Powerful Free DAST Tool

OWASP ZAP has earned its reputation as the go-to open-source DAST scanner. With proper configuration, it can scan complex authenticated applications, integrate into any CI/CD pipeline, and surface real vulnerabilities before attackers find them.

Start with the baseline scan in your pipeline today. Add authenticated scanning as your team matures. And pair ZAP with ZeriFlow for the fast, configuration-level checks that need zero setup — so your ZAP scans can focus on the deeper application-layer vulnerabilities that matter.