Scan zap
scan zap - Dynamic Application Security Testing using OWASP ZAP
Perform Dynamic Application Security Testing (DAST) using OWASP ZAP.
This command performs black-box security testing of running web applications using OWASP ZAP via Docker. It detects common vulnerabilities like XSS, SQL injection, CSRF, and misconfigurations. Results are saved as timestamped evidence files with SHA256 integrity verification for audit compliance.
Note: Unlike other security commands, ZAP scans a running application URL rather than module files. The module argument is used for evidence file organization only.
Flags
| Flag | Description |
|---|---|
--target |
Target URL to scan (required) |
--scan-type (default: baseline) |
Scan type (baseline, full, api) |
-d, --debug (default: false) |
Enable debug logging |
Notes
Expected Output:
Evidence files are written to out/scan/
Examples
security zap src-api --target http://localhost:8080 # Baseline scan
security zap src-api --target http://localhost:8080 --scan-type full # Full scan
security zap src-api --target http://localhost:8080 --scan-type api # API scan
security zap src-api --target http://localhost:8080 --debug # Debug logging
See Also
- scan - Main scan command with --scanner flag
- scan Commands Category
Tutorials | How-to Guides | Explanation | Reference
You are here: Reference — information-oriented technical descriptions of the system.