OWASP ZAP automation runs dynamic application security tests automatically against running web apps. Instead of manually clicking through the ZAP UI, automation integrates ZAP into CI/CD pipelines, headless scans, authenticated testing, spidering, API scanning, and reporting. Automated ZAP ensures every deployment is dynamically tested before going live.

Understanding OWASP ZAP Automation

ZAP automation performs:

• crawling and spidering
• passive scanning
• active vulnerability scanning
• authenticated sessions
• API testing
• AJAX crawling
• headless execution
• reporting in HTML/JSON/XML

Automating ZAP turns DAST into a continuous process rather than an occasional manual task.

Automation ensures each build is tested for XSS, SQL injection, IDOR, insecure cookies, CSRF, SSRF, and more.

Why Automate ZAP

Manual DAST is slow and inconsistent. Automation:

• runs scans on every commit
• enforces security gates
• detects regressions
• eliminates human error
• integrates into DevSecOps pipelines
• keeps testing repeatable and predictable

ZAP is ideal for CI/CD-driven security.

ZAP Automation Methods

ZAP CLI

Command-line interface for running headless scans.

ZAP Docker

Prepackaged ZAP instance for pipelines.

ZAP Automation Framework (.yaml scripts)

Define scans through automation YAML.

ZAP API

Trigger and control ZAP programmatically.

ZAP GitHub Actions

Run ZAP directly in GitHub workflows.

ZAP Jenkins Plugin

Integrate ZAP with Jenkins jobs.

Automation uses one or more of these methods.

Installing OWASP ZAP for Automation

ZAP Docker Image

docker pull zaproxy/zap-stable

ZAP CLI

pip install python-owasp-zap-v2.4

ZAP Automation Framework Template

zap.sh -autogen

Generate YAML template.

ZAP Automation Framework (Most Powerful Method)

Example automation file:

env:
  contexts:
    - name: my-app
      urls:
        - https://target.com
      includePaths:
        - https://target.com/.*
      authentication:
        type: form
        parameters:
          loginUrl: https://target.com/login
          username: admin
          password: admin123

jobs:
  - type: spider
    parameters:
      context: my-app
  - type: activeScan
    parameters:
      context: my-app
  - type: report
    parameters:
      format: html
      outFile: report.html

Run:

zap.sh -cmd -autorun automation.yaml

ZAP runs in headless mode with full automation.

ZAP CLI Automation (Simple Method)

Launch headless scan:

zap.sh -daemon -port 8080

Use Python ZAP API:

from zapv2 import ZAPv2
zap = ZAPv2()
zap.urlopen("http://target.com")
zap.spider.scan("http://target.com")
zap.ascan.scan("http://target.com")
print(zap.core.alerts())

ZAP Docker Automation (Best for CI/CD)

Run spider + active scan:

docker run -t owasp/zap2docker-stable zap-baseline.py \
    -t https://target.com \
    -r zapreport.html

Run full scan:

docker run -t owasp/zap2docker-stable zap-full-scan.py \
    -t https://target.com \
    -r fullreport.html

These scripts automate ZAP end-to-end.

ZAP in CI/CD (GitHub Actions Example)

jobs:
  zap-scan:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.7.0
        with:
          target: https://target.com

ZAP blocks merges on high severity issues if configured.

Authentication in ZAP Automation

Automation supports:

• form-based auth
• JSON/REST login
• bearer tokens
• session cookies
• header authentication

Authenticated scans uncover deeper vulnerabilities.

Example automation YAML:

authentication:
  type: json
  parameters:
    loginUrl: https://target.com/api/login
    payload: '{"username":"admin","password":"admin"}'

ZAP API Scanning for Microservices

Use:

zap-api-scan.py -t openapi.json -f openapi -r report.html

Automatically tests REST APIs from OpenAPI spec.

ZAP AJAX Spider

For JS-heavy apps:

zap.sh -cmd -autorun automation.yaml

jobs:
  - type: ajaxSpider
    parameters:
      context: my-app

Crawls dynamic frontends like React and Angular.

ZAP Reporting

Automation generates:

• html reports
• json reports
• xml reports
• markdown reports

Reports integrate with:

• CI dashboards
• Jira
• SIEM
• Slack

Example:

report:
  format: json
  outFile: results.json

Full-Length Practical Section

Hands-on practicals to master ZAP automation.

Practical 1: Run ZAP Headless Scan With Docker

docker run -t owasp/zap2docker-stable zap-baseline.py \
  -t https://vulnerable-app.com \
  -r baseline.html

Checks passive vulnerabilities.

Practical 2: Run Full Active Scan

docker run -t owasp/zap2docker-stable zap-full-scan.py \
  -t https://vulnerable-app.com \
  -r fullscan.html

Crawls and actively attacks endpoints.

Practical 3: Build Custom Automation YAML

zap.sh -autogen

Modify to include:

• spider
• ajax spider
• active scan
• reporting

Run:

zap.sh -cmd -autorun auto.yaml

Practical 4: Automate JSON Auth Login

Add JSON auth to YAML and test authenticated scan.

Practical 5: Spider Application Automatically

zap.spider.scan("https://target.com")

Wait for spider completion before active scan.

Practical 6: Active Scan Specific URL

zap.ascan.scan("https://target.com/admin")

Focus on sensitive areas.

Practical 7: AJAX Spider for SPA Apps

Enable AJAX spider for dynamic JavaScript pages.

Practical 8: Run ZAP in Docker Compose

Compose file:

zap:
  image: owasp/zap2docker-stable
  command: zap-full-scan.py -t http://app:3000

Integrate into local builds.

Practical 9: ZAP in GitHub Actions

Set severity thresholds.
Fail pipeline on medium/high issues.

Practical 10: ZAP in GitLab CI

zap_scan:
  image: owasp/zap2docker-stable
  script:
    - zap-baseline.py -t https://app -r zap.html

Practical 11: ZAP Python Scripting

Use Python API to create flexible scans using loops and logic.

Practical 12: Generate OpenAPI File and Run API Scan

Export API spec and run:

zap-api-scan.py -t openapi.yaml

Practical 13: Enable Passive Scan Only

Quick validation:

zap-baseline.py -t https://app.com

Practical 14: Integrate ZAP With Jenkins

Configure build step:

zap-full-scan.py

Publish reports.

Practical 15: Setup ZAP Session Persistence

Save session:

zap.core.save_session("session")

Load session next run.

Practical 16: Attack Specific Authentication Flow

Scripted login using Python script, then run active scan.

Practical 17: Customize Attack Policy

Enable only:

• XSS
• SQLi
• directory traversal

Disable low-risk checks.

Practical 18: Use Contexts for Authenticated Users

Define contexts in YAML.
Run attack under authenticated session.

Practical 19: Parse ZAP Alerts With Python

Automatically collect issues and export to JIRA.

Practical 20: Build Full ZAP Automation Architecture

Include:

• Docker ZAP engine
• baseline scans per commit
• full active scans nightly
• API scanning
• authenticated crawling
• reports to Slack/JIRA
• fail CI on critical issues
• OPA validation of security gates
• centralized report storage

This creates complete automated DAST in DevSecOps pipelines.

Intel Dump

• ZAP automation replaces manual dynamic testing
• Use Docker, CLI, API, GitHub Actions, Jenkins
• Automation YAML controls scans (spider, active scan, auth, reporting)
• Supports headless mode, AJAX crawler, API scanning
• Practicals include full scans, authenticated scans, CI integration, OpenAPI scanning, report automation, and full ZAP DevSecOps architecture