ZAP scan not able to scan api endpoints getting 401

[Abhishek Shrivastava]

Hi,

I am running ZAP scan in Azure Devops release pipeline as below to test my api. It is able to scan publicly available paths but getting not authenticated (401) for paths behind basic auth even when I have provided basic auth details in the docker run.

Below is the script I am running in my CD pipeline. Am I doing anything wrong?

echo "#### Get the latest ZAP docker image ####" echo "############################################" docker pull ghcr.io/zaproxy/zaproxy:stable

echo "##### Set up permission #######" echo "###############################" /usr/bin/id -u root  /usr/bin/mkdir -v -p /home/vsts/work/1/s/zap /usr/bin/chmod 777 /home/vsts/work/1/s/zap

echo "Check whats in the dir tree" echo "###############################"

pwd ls -ahl /home/vsts/work/1/s

echo "####### RUN The SCAN #######" /usr/bin/docker --debug run -u 0 -v /home/vsts/work/1/s/zap:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \ -t https://dev.theinsurercloud.com:443 \ -J report.json \ -r report.html \ -z "addoninstall openapi -openapiurl https://dev.theinsurercloud.com/swagger/v1/swagger.json \             -config auth.methodName=basic \       -config auth.paramName=username \       -config auth.paramValue=your_username \       -config auth.credentials.username=your_username \       -config auth.credentials.password=your_password \       -config context.contextName=Default Context \       -config context.includeInContext='Default Context:https://dev.theinsurercloud.com*'"

echo "########## Report Path ##########" ls -ahl /home/vsts/work/1/s/zap

 Thanks

Abhishek

[Abhishek Shrivastava]

I got it working using replacor to provide auth header.

[Simon Bennetts]

Thanks for letting us know!