Feedback requested: ZAP Automation Framework

[psiinon]

We have started working on a new automation framework which is planned, in time, to be the recommended way for most people to automate ZAP.

We will not be removing any existing functionality, but the plan is to change the github actions and packaged scans to use this new framework in most cases.

This document describes why the framework is being developed, the features it will eventually provide and the way it is intended to work: https://docs.google.com/document/d/1xGCG5T0kBf0HjeHz86eKudIVxEPk_V1CzU-BYdoDrCw/edit#

We would love to hear your feedback - either in this thread or in the doc - everyone should have comment access to it.

Many thanks,

Simon

[Sandal Iqbal]

Good that your are working on the new automation framework for ZAP! What I would love to see is all functionalities available in the zap-client jar something which automation tools like appium support. Basically you import the jar and you should be able to do pretty much everything by calling appropriate classes. An example structure of the automation would be:

1. Start ZAP as a local service

2. upload scripts

3. Have control on http sender , selenium etc via the code itself

4. perform all attacks

5. generate reports

Would be nice if you are planning to expose these functionalities via a single jar.

[psiinon]

ZAP is a relatively large and complex tool.

It has a plugin architecture that allows you to dynamically download and install add-ons from the ZAP Marketplace.

I'm afraid we have no plans to create a single jar that would do what you want.

If there was significant interest in such a thing then we _could_ investigate how much work it might take, but I suspect it will be non trivial.

In other words dont get your hopes up ;)

Does anyone else have this requirement?

Cheers,

Simon