ZAP API, Automation Framework, runPlan

Ruskó Szilveszter

unread,

May 2, 2023, 7:49:00 AM5/2/23

to OWASP ZAP User Group

Hi,

I would like to create a solution which use daemon:

zap.sh -daemon -port 8090 -config api.key= ${ZAP_API_KEY} -addoninstallall

and after that import an openapi.yaml file for the scans:

curl -X POST "http://localhost:8090/JSON/UI/automation/action/runPlan/?apikey=${ZAP_API_KEY}&runPlan=openapi.yaml"

(i tried with GET too)

but unfortunatelly I got this error message every time:

root@host:/zap# curl -X POST "http://localhost:8090/JSON/UI/automation/action/runPlan/?apikey=${ZAP_API_KEY}&runPlan=${PWD}/openapi.yaml" -vvv
* Trying 127.0.0.1:8090...
* Connected to localhost (127.0.0.1) port 8090 (#0)
> POST /JSON/UI/automation/action/runPlan/?apikey=&runPlan=/zap/openapi.yaml HTTP/1.1

Do you have any suggestion?

Thank you,

Simon Bennetts

unread,

May 2, 2023, 7:53:27 AM5/2/23

to OWASP ZAP User Group

See https://www.zaproxy.org/docs/automate/automation-framework/#updating-add-ons

Out of interest, why do you want to run th AF plan in daemon mode?

I expected the most useful option to be running AF plans from the command line.

Cheers,

Simon

Ruskó Szilveszter

unread,

May 2, 2023, 9:40:50 AM5/2/23

to OWASP ZAP User Group

Dear Simon,

Thanks for the reply, could u explain why it is important? https://www.zaproxy.org/docs/automate/automation-framework/#updating-add-ons
I have already installed all pluins here: zap.sh -daemon -port 8090 -config api.key= ${ZAP_API_KEY} -addoninstallall or am I missed something?

Daemon mode:
I would like to install it in a k8s env, and in this case the zaproxy should run as a deamon, and I have to import a common scan configuration at the start.
After that each pods/containers could call it via api, when these has been deployed.

Thank you,

Simon Bennetts

unread,

May 2, 2023, 10:44:22 AM5/2/23

to OWASP ZAP User Group

We dont recommend running ZAP as a long running service.

You can do so if you want, but its not really designed to be run that way.

Cheers,

Simon

Ruskó Szilveszter

unread,

May 2, 2023, 2:00:49 PM5/2/23

to OWASP ZAP User Group

Alright I understood, just another thing is is possible to exectule zap.sh command and detach from the process without kill it?

Thanks,

Simon Bennetts

unread,

May 3, 2023, 4:14:42 AM5/3/23

to OWASP ZAP User Group

Oh yeah, just add a "&" at the end of the command - this is common linux / macOs functionality.

https://www.linux.com/training-tutorials/and-ampersand-and-linux/

Cheers,

Simon

Ruskó Szilveszter

unread,

May 4, 2023, 4:41:09 AM5/4/23

to OWASP ZAP User Group

Thank you!

Just a two question;

is it possible to definie a default report path in the config file?

is it possible to export every report (or just the last one) in to this report path?

(in this case the zap works in daemon mode)

Thanks,

Simon Bennetts

unread,

May 4, 2023, 6:17:31 AM5/4/23

to OWASP ZAP User Group

The API is documented on https://www.zaproxy.org/docs/desktop/addons/report-generation/api/

You can specify the directory to use.

Right now the default directory is the users home directory - theres no way to change that other than by specifying an alternative when when calling the 'generate' API endpoint.

Cheers,

Simon

Ruskó Szilveszter

unread,

May 4, 2023, 6:44:46 AM5/4/23

to OWASP ZAP User Group

Thank you,

could give some info for this question too pls? is it possible to export every report (or just the last one) in to this report path?

Thank you,

Simon Bennetts

unread,

May 4, 2023, 6:47:58 AM5/4/23

to OWASP ZAP User Group

It is, as long as you make sure the reports have different names, otherwise they will overwrite the previous report :)

Ruskó Szilveszter

unread,

May 4, 2023, 6:51:11 AM5/4/23

to OWASP ZAP User Group

Thank you Simon :)

Reply all

Reply to author

Forward