Seeking guidance on implementing ZAP security scanning pipeline

[Arpit Thool]

Hello ZAP community,

I'm working on implementing an automated security scanning pipeline using OWASP ZAP for our Flask application. The pipeline would be triggered through GitHub Actions, which would initiate ZAP to perform comprehensive security scans against our Flask application. Once the scan is complete, it would generate detailed vulnerability reports that would be forwarded to a separate processing module.

This processing module would analyze each security alert individually, compiling the findings into a comprehensive assessment. The analyzed results would then be forwarded to our designated monitoring system for further action and tracking. The goal is to create a fully automated security testing workflow that integrates seamlessly with our existing development process.

Since I'm new to working with ZAP, I'm looking to understand if implementing such a pipeline is feasible and what components would be required. Specifically, I'd appreciate your insights on the programmatic aspects of working with ZAP – how to trigger scans programmatically, configure scan parameters, and generate detailed reports automatically.

Best,

Arpit

[psiinon]

Hi Arpit,

This question is about how to use ZAP - please ask them on the ZAP User Group: https://groups.google.com/group/zaproxy-users

This forum is for ZAP development questions.

Oh, and ZAP has not been part of OWASP for well over a year now :)

Cheers,

Simon