How to properly use ZAP API Scan?

[James Yo]

Hello,

In this conversation I'd like to inquire regarding Docker ZAP's "zap-api-scan.py". Assuming I have the OpenAPI spec I can use for the scanning, how do I properly "implement" the given spec to use for the scan?

I've tried using this command:

zap-api-scan.py -t <my target url> -f openapi -n <my openAPI spec>.yml -J -r /zap/report/<result>.html

Yet it seems to give this error:

2022-08-02 04:08:32,133 Failed to load context file /zap/wrk/ <my openAPI spec>.yml : does_not_exist

Did I use the command incorrectly? Or perhaps zap-api-scan does not support openAPI spec file?

Thank you in advance,

James

[Simon Bennetts]

Hi James,

Step 1 - read the docs (or check the usage) :)

If you look at https://www.zaproxy.org/docs/docker/api-scan/ you'll see that

• The target open API spec URL should be specified using the '-t' param
• The '-n' param is used for the context (which is not an OpenAPI spec)
  

Cheers,

Simon