Export configuration from the ZAP desktop GUI ?

alex van

unread,

Nov 20, 2022, 9:07:49 PM11/20/22

to zaprox...@googlegroups.com

hi there,

I have configured my ZAP via the ZAP desktop GUI, including the configuration for the active scanning , configuration for some of the policies.

Is it possible to export the configuration as a file then I can import to another ZAP docker running on another machine ? That would be much easier to setup a new ZAP docker.

thanks,

alex

Simon Bennetts

unread,

Nov 21, 2022, 5:24:49 AM11/21/22

to OWASP ZAP User Group

Hi Alex,

The config.xml file contains all of the ZAP Desktop config settings, so you can just copy that.

Thats in the ZAP default directory: https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/

For more details see https://www.youtube.com/watch?v=EIUlCknXMSI

Cheers,

Simon

alex van

unread,

Nov 25, 2022, 12:11:07 AM11/25/22

to OWASP ZAP User Group

hi Simon

thanks for the info. i have read it , as well as the video , which is helpful.

But I think my question actually specifically focus on the active scan configuration. As shown in the video, the config.xml didn't include the config for the active scan. Actually the config for the active scan are saved as scan policy file.

For example, I have created 10 different active scan policy, which are 10 different policy files and I need to import the specific scan policy file for specific active scan.

https://www.zaproxy.org/docs/desktop/cmdline/

in the command line page, it didn't show any solution regarding this.

So may I know if ZAP support this?

regards,

alex

Simon Bennetts

unread,

Nov 25, 2022, 4:54:04 AM11/25/22

to OWASP ZAP User Group

Hi Alex,

The ZAP command line is deliberately somewhat limited.

The full set of options we support for automating ZAP are listed on https://www.zaproxy.org/docs/automate/

The packaged scan, github actions, automation framework and API all support the policy files.

The packaged scans and/or github actions are probably the easiest option, but they do depend on docker and you will need to copy your policy files into the docker image.

The automation framework does not depend on docker (but can run in a docker image) and is a bit more flexible, so that might be a good option for you as well.

Cheers,

Simon

Michael Endrizzi

unread,

Jan 8, 2024, 3:39:12 AM1/8/24

to ZAP User Group

I noticed the GUI does not respect ENV variables or relative directory names??? so moving between desktop and docker with different file systems

does not work..

Simon Bennetts

unread,

Jan 8, 2024, 4:19:26 AM1/8/24

to ZAP User Group

Its always better to start a new thread here rather than posting to an old one :)

The AF does support both absolute and relative file paths as per https://www.zaproxy.org/docs/desktop/addons/automation-framework/#file-paths

The plan is to add an option to always convert to relative paths and to copy any files used to a subdirectory .. but we are a small overworked team and cannot do everything.

If anyone fancies working on this, or anything else ZAP releated, then please get in touch...