How to run OWASP Zed Attack Proxy ZAP's zap-api-scan.py without requiring docker?

[KJ]

Is there a way to run zap-api-scan.py outside of docker?

I tried the below to run this python script outside of docker with below steps successfully. However, the script itself checks if it is running in docker and initiates docker via zap api if it is not running in docker, defeating my hack.

git clone https://github.com/zaproxy/zaproxy.git
easy_install six
pip install python-owasp-zap-v2.4
pip uninstall chardet
pip install "chardet==3.0.2"

python zaproxy/docker/zap-api-scan.py

[Simon Bennetts]

The packaged scans all require docker, but you can still do everything they do without using docker if you're prepared to do a bit of script editing and testing :)

For a start you'll need to remove or comment out the bit that starts ZAP in docker: https://github.com/zaproxy/zaproxy/blob/develop/docker/zap-api-scan.py#L285-L336

Then you'll need to copy the custom scripts in your ZAP instance: https://github.com/zaproxy/zaproxy/tree/develop/docker/scripts/scripts/httpsender

Then you'll need to run the rest of the script and double check its using the right policy and that the custom scripts are added correctly.

[KJ]

Thanks Simon, appreciate your timely help on this.

[Caroline Rocha]

Hi Simon, would this be the same for the baseline and active scan? Assuming the docker functionality would be different but similar...?

Thank you.

[Simon Bennetts]

Yes, the packaged scans just control ZAP via the API - you can do all of that without docker but not with those scripts as they stand.

We are migrating the packaged scans to use the Automation Framework (AF), which does not require docker.

You can use the AF right now but at the moment it does not support authentication - thats hopefully coming soon...

Cheers,

Simon