Hi all,
I recently developed automation framework for ZAP at scale. I am calling it ZaP As A Service. Though ZAP runs perfectly fine for scanning few requests it's hard to scan about few 1000s of requests which I have to do.
Though ZAP provide APIs, one major limitation for me is that single ZAP instance cannot handle multiple sessions. So I have created ZaaS which runs along with ZAP on a Kubernetes cluster with as many pods as you like.
ZaaS takes care of storing information required for scans, scheduling scans and sends output to registered webhook. Currently for me. it's scaling really well when I scan 1000s of requests while autoscaling ZAP instances on pods.
Here is my architecture diagram, appreciate your feedback on the idea and architecture. Will make it open source soon.
Best,
Varun.