Include context in docker packaged scan

Nithin A

unread,

Feb 8, 2021, 5:11:32 AM2/8/21

to OWASP ZAP User Group

Hi Team,

How to specify the context file while performing ZAP full scan using docker image,

OS: Windows

A Example command will be helpful

eri...@augment1security.com

unread,

Feb 8, 2021, 10:13:17 AM2/8/21

to OWASP ZAP User Group

Hi Nithin,

You can use the "-n" flag - https://github.com/zaproxy/zaproxy/blob/main/docker/zap-full-scan.py

Best Regards,
Eric W.
Blog: https://augment1security.com/blog/
Twitter: @aug1sec
Facebook: https://www.facebook.com/aug1sec

Nithin A

unread,

Feb 8, 2021, 12:42:21 PM2/8/21

to OWASP ZAP User Group

Hey Eric,

Thanks for the reply,

I'm not sure how to resolve this warning in Windows, any thoughts on how this can be handled while running dockers on windows?

Warning: A file based option has been specified but the directory \'/zap/wrk\' is not mounted

Regards,

Simon Bennetts

unread,

Feb 8, 2021, 12:46:20 PM2/8/21

to OWASP ZAP User Group

As per https://www.zaproxy.org/docs/docker/baseline-scan/

If you use ‘file’ params then you need to mount the directory those file are in or will be generated in, eg
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \ -t https://www.example.com -g gen.conf -r testreport.html
Note that $(pwd) is only supported on Linux and MacOS - on Windows you will need to replace this with the full current working directory.

ZAP can not access your context file unless you mount the drive its in when you start Docker.

kingthorin+owaspzap

unread,

Feb 8, 2021, 1:54:18 PM2/8/21

to OWASP ZAP User Group

https://www.google.com/search?q=docker+windows+mount+directory

Nithin A

unread,

Feb 9, 2021, 12:00:39 PM2/9/21

to OWASP ZAP User Group

I tried this: docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://bodgeit.herokuapp.com -n Bodgeit.context -g gen.conf -r testreport.html -U best@best

Yet I'm getting this error, can you please help me where I am going wrong.

kingthorin+owaspzap

unread,

Feb 9, 2021, 6:37:28 PM2/9/21

to OWASP ZAP User Group

Can your docker image access anything online?

Is DNS resolution working within the image?

Nithin A

unread,

Feb 10, 2021, 2:07:05 AM2/10/21

to OWASP ZAP User Group

The baseline scan without any parameters, and it worked just fine.

Simon Bennetts

unread,

Feb 10, 2021, 4:26:42 AM2/10/21

to OWASP ZAP User Group

Start a bash shell in that docker image using:

docker run -it owasp/zap2docker-stable bash

Then run:

curl https://bodgeit.herokuapp.com/

What does that give you?

Nithin A

unread,

Feb 10, 2021, 8:54:46 AM2/10/21

to OWASP ZAP User Group

The scan executed properly, I had to missed the https://bodgeit.herokuapp.com/ in the end.

Should the report generated for Docker fullscan and ZAP UI active scan be comparable?

I found more than 2x URLs were crawled in ZAP Ui compared to Docker image.

For the curl command, a html response is served. No problem with connecting to the internet.

Regards,

Reply all

Reply to author

Forward