Why OWASP ZAP?
OWASP ZAP (Zed Attack Proxy) is one of the most popular open-source tools for web application security testing.
It’s a perfect fit for a DevSecOps workflow because it can be used for:
- Automated scanning in the CI/CD pipeline
- Manual security testing via GUI/Web UI
- Baseline scan to check for common vulnerabilities
Running ZAP in Docker
To avoid the hassle of manual installation, we’ll use the Docker container version.
Pull the latest image
The old repository owasp/zap2docker-stable is deprecated, now use:
docker pull ghcr.io/zaproxy/zaproxy:stable
If successful, the output will include multiple Pull complete lines.
Running ZAP with Web UI
We can run ZAP WebSwing so it’s accessible directly from the browser:
docker run -u zap -p 8080:8080 ghcr.io/zaproxy/zaproxy:stable zap-webswing.sh
ZAP will be available at http://localhost:8080.
CLI Mode for Automation
If you want to integrate it into your CI/CD pipeline, usually it’s enough to run the CLI command:
docker run -u zap ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t https://targetwebsite.com
The scan output can be exported in HTML or XML format.
Important Tips
- Make sure port 8080 is not being used by another application.
- If your internet connection is unstable, Docker will resume layer downloads, so you don’t have to start from scratch.
- Use a baseline scan in early development, and a full scan before production release.
Official Resources
Conclusion
Integrating OWASP ZAP into your DevSecOps workflow will improve application security without slowing down development.
With Docker, setup is super fast, letting you focus directly on testing.
Do you want me to also make a more concise, developer-focused version so it works well as a quick-start guide?
Top comments (0)