OWASP ZAP API Scan with Script based authentication not working with GitHub action
14 views
Skip to first unread message
pradeep kandale
Feb 2, 2026, 9:37:52 AM (11 days ago) Feb 2
to ZAP User Group
I have created ZAP API scan Github action, which I am running from Github repository.
My current setup-
I have OWASP ZAP running on the VM-A, I have exported these context file, scripts and checked-them into the repository.
Now from VM-B, I am trying to run the Workflow, where OWASP ZAP UI doesn't exists. Since I am running docker commands from VM-B I believe I don't need to install the OWASP ZAP on VM-B.
I am using this repo as my reference file-
https://github.com/VikashChoudahry/devsecops - Only thing from this repo missing in my GitHub repo is, I do not have any docker file included in my GitHub repo yet.
My current setup-
I have OWASP ZAP running on the VM-A, I have exported these context file, scripts and checked-them into the repository.
Now from VM-B, I am trying to run the Workflow, where OWASP ZAP UI doesn't exists. Since I am running docker commands from VM-B I believe I don't need to install the OWASP ZAP on VM-B.
I am using this repo as my reference file-
https://github.com/VikashChoudahry/devsecops - Only thing from this repo missing in my GitHub repo is, I do not have any docker file included in my GitHub repo yet.
Providing my workflow steps below -
---------------------------------------------------------------------
# This is a basic workflow to help you get started with Actions
name: ZAP API Scan
# Controls when the workflow will run
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: [ linux ]
name: Sanity check of git actions
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
with:
ref: feature/master
# Runs a single command using the runners shell
- name: Run a one-line script
run: echo No error. Do the necessary build steps here.
scans:
# The type of runner that the job will run on
runs-on: [ linux ]
name: ZAP API Scan
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout code
uses: actions/checkout@v4
- name: Log current directory
run: echo ${pwd}
- name: Pull ZAP OWASP Image
run: docker pull 'ghcr.io/zaproxy/zaproxy:weekly'
- name: Run ZAP API Scan
run: |
sudo docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:weekly zap-api-scan.py
-t /zap/wrk/openapi.json
-f openapi
-r test_report_$(date -u +'%Y%m%d').html
-n /zap/wrk/AuthContext.context
-z "-addonupdate -addoninstall=script -addoninstall=jython
-config logger.level=DEBUG
-config logger.console.level=DEBUG
-config script.scripts(0).name=AuthScript
-config script.scripts(0).type=authentication
-config script.scripts(0).engine=jython
-config script.scripts(0).enabled=true
-config script.scripts(0).file=/zap/wrk/AuthScript.py
-config script.scripts(1).name=SetAutheticationAccessToken
-config script.scripts(1).type=httpsender
-config script.scripts(1).engine=jython
-config script.scripts(1).enabled=true
-config script.scripts(1).file=/zap/wrk/SetAutheticationAccessToken.py"
----------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------
# This is a basic workflow to help you get started with Actions
name: ZAP API Scan
# Controls when the workflow will run
on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: [ linux ]
name: Sanity check of git actions
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
with:
ref: feature/master
# Runs a single command using the runners shell
- name: Run a one-line script
run: echo No error. Do the necessary build steps here.
scans:
# The type of runner that the job will run on
runs-on: [ linux ]
name: ZAP API Scan
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout code
uses: actions/checkout@v4
- name: Log current directory
run: echo ${pwd}
- name: Pull ZAP OWASP Image
run: docker pull 'ghcr.io/zaproxy/zaproxy:weekly'
- name: Run ZAP API Scan
run: |
sudo docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:weekly zap-api-scan.py
-t /zap/wrk/openapi.json
-f openapi
-r test_report_$(date -u +'%Y%m%d').html
-n /zap/wrk/AuthContext.context
-z "-addonupdate -addoninstall=script -addoninstall=jython
-config logger.level=DEBUG
-config logger.console.level=DEBUG
-config script.scripts(0).name=AuthScript
-config script.scripts(0).type=authentication
-config script.scripts(0).engine=jython
-config script.scripts(0).enabled=true
-config script.scripts(0).file=/zap/wrk/AuthScript.py
-config script.scripts(1).name=SetAutheticationAccessToken
-config script.scripts(1).type=httpsender
-config script.scripts(1).engine=jython
-config script.scripts(1).enabled=true
-config script.scripts(1).file=/zap/wrk/SetAutheticationAccessToken.py"
----------------------------------------------------------------------------------------------------------
Currently getting the below errors
First error -
Failed to load context file /zap/wrk/AuthContext.context : internal_error
2nd error -
Permission denied: '/zap/wrk/test_report_20260202.html'
I/O error: [Errno 13] Permission denied: '/zap/wrk/test_report_20260202.html'
3rd error -
org.parosproxy.paros.common.AbstractParam - Setting config script.scripts(0).name = APIAuthScript was null
First error -
Failed to load context file /zap/wrk/AuthContext.context : internal_error
2nd error -
Permission denied: '/zap/wrk/test_report_20260202.html'
I/O error: [Errno 13] Permission denied: '/zap/wrk/test_report_20260202.html'
3rd error -
org.parosproxy.paros.common.AbstractParam - Setting config script.scripts(0).name = APIAuthScript was null
Could you please help.
Simon Bennetts
Feb 12, 2026, 7:04:13 AM (yesterday) Feb 12
to ZAP User Group
Hiya,
Do you really need to run docker with "sudo".
If not then its best not to - that might be causing the following file permission problem.
The "Permission denied: '/zap/wrk/test_report_20260202.html'" problem will be a local permission issue.
Docker file permissions can be "interesting", and unfortunately are not something we can control in ZAP.
You may need to give write access to all users to the directory you are mapping.
Re "Failed to load context file /zap/wrk/AuthContext.context : internal_error" is the SetAutheticationAccessToken.py script in the CWD when you run the docker command?
If it is not then that might be causing the problem.
Otherwise you will need to look. at the zap.log file for more details.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages