ZAP command Line

unread,

Sep 2, 2021, 10:23:58 AM9/2/21

to OWASP ZAP User Group

Hi Simon,

I'm trying the ZAP command Line option using docker.

This is the output I get in the terminal,

And when I write the output into a HTML or JSON file, I get elaborated output with Severity, CWE, CVE ID , Description everything.

This is the sample HTML output,

Is there any way I can get the detailed output with Severity and CVE, CWE ID in my terminal without writing into a file?

Regards,

Priya

unread,

Sep 2, 2021, 10:27:39 AM9/2/21

to OWASP ZAP User Group

Hi Priya,

You could define a scan hook which prints that information out for you.

Cheers,

Simon

unread,

Sep 2, 2021, 11:40:47 AM9/2/21

to OWASP ZAP User Group

Apologies, I'm completely new to ZAP and trying to explore how to write custom scan hook.

I have gone through the scan hook link, but couldn't understand how to write my own.

Can you please help me with some sample scripts, I would require just Risk Level, CWE ID, CVE ID, Description to be printed.

Thanks,

Priya

unread,

Sep 2, 2021, 11:51:22 AM9/2/21

to OWASP ZAP User Group

Also, I have created a hooks.py file in my repo with the following content,

and this is my zap command,

zap-full-scan.py -t https://**** --hook=src/hooks.py 2>/dev/null || exit 0

When the Jenkins build ran, I did not see these hooks getting executed or printed. There was no error also.

Thanks,

Priya

unread,

Sep 13, 2021, 4:27:35 AM9/13/21

to OWASP ZAP User Group

Hiya Priya,

You will need to mount a directory with the hook file in it when you run docker otherwise it wont have access to it - see https://www.zaproxy.org/docs/docker/full-scan/

You may also need to specify the full path to the hook file, but that will be the path in the docker container _not_ in the local one.