How to generate JSON report using ZAP Automation?

Rohit Kumar

unread,

Jun 13, 2022, 7:09:30 AM6/13/22

to OWASP ZAP User Group

Hi There,

I am trying to start implementing ZAP automation in one of our project, i am able to run scan using YAML file and it's also generating html report file at this location /root/2022-06-13-ZAP-Report-example.com.html

But, i want to get results in JSON format, how can i achieve it? I tried to look over lot of resources, didn't found anything interesting.

Command

./zap.sh -cmd -autorun zap.yaml

zap.yaml contents

env:
contexts :
- name: my_context
urls:
- "https://example.com"
parameters:
failOnError: true
failOnWarning: false
progressToStdout: true
jobs:
- type: passiveScan-config # Passive scan configuration
parameters:
maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule
scanOnlyInScope: true # Bool: Only scan URLs in scope (recommended)
maxBodySizeInBytesToScan: # Int: Maximum body size to scan, default: 0 - will scan all messages

- type: spider # The traditional spider - fast but doesnt handle modern apps so well
parameters:
context: # String: Name of the context to spider, default: first context
url: # String: Url to start spidering from, default: first context URL
failIfFoundUrlsLessThan: # Int: Fail if spider finds less than the specified number of URLs, default: 0
warnIfFoundUrlsLessThan: # Int: Warn if spider finds less than the specified number of URLs, default: 0
maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDepth: # Int: The maximum tree depth to explore, default 5
maxChildren: # Int: The maximum number of children to add to each node in the tree
acceptCookies: # Bool: Whether the spider will accept cookies, default: true
handleODataParametersVisited: # Bool: Whether the spider will handle OData responses, default: false
handleParameters: # Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all
maxParseSizeBytes: # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb
parseComments: # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true
parseGit: # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false
parseRobotsTxt: # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true
parseSitemapXml: # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true
parseSVNEntries: # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false
postForm: # Bool: Whether the spider will submit POST forms, default: true
processForm: # Bool: Whether the spider will process forms, default: true
requestWaitTime: # Int: The time between the requests sent to a server in milliseconds, default: 200
sendRefererHeader: # Bool: Whether the spider will send the referer header, default: true
threadCount: # Int: The number of spider threads, default: 2
userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one
- type: passiveScan-wait # Passive scan wait for the passive scanner to finish
parameters:
maxDuration: 1 # Int: The max time to wait for the passive scanner, default: 0 unlimited
- type: activeScan

- type: report # Report generation
parameters:
displayReport: true
risks:
- high
- medium
- low
- info

thc...@gmail.com

unread,

Jun 13, 2022, 8:17:00 AM6/13/22

to zaprox...@googlegroups.com

Hi.

The corresponding help page indicates how to configure the job:
https://www.zaproxy.org/docs/desktop/addons/report-generation/automation/

For the IDs of the templates:
https://www.zaproxy.org/docs/desktop/addons/report-generation/templates/

Best regards.

On 13/06/2022 12:09, Rohit Kumar wrote:
> Hi There,
>
> I am trying to start implementing ZAP automation in one of our project, i
> am able to run scan using YAML file and it's also generating html report
> file at this location /root/2022-06-13-ZAP-Report-example.com.html
>
> But, i want to get results in JSON format, how can i achieve it? I tried to
> look over lot of resources, didn't found anything interesting.
>

> *Command*
> ./zap.sh -cmd -autorun zap.yaml
>
> *zap.yaml contents*

Rohit Kumar

unread,

Jun 13, 2022, 11:12:17 AM6/13/22

to OWASP ZAP User Group

Hi There, i can't see anything related to json on that link, i already gone through those links today's morning, can you please point out what i'm missing?

thc...@gmail.com

unread,

Jun 13, 2022, 11:18:25 AM6/13/22

to zaprox...@googlegroups.com

In the second link it mentions the reports that are in JSON format,
specify one of those when setting up the report job.

Best regards.

On 13/06/2022 16:12, Rohit Kumar wrote:
> Hi There, i can't see anything related to json on that link, i already

Charles Williams

unread,

Jun 13, 2022, 11:21:08 AM6/13/22

to OWASP ZAP User Group

The first link is telling you how to change your report entry in your plan, primarily the template param. You'll note that this points to the template ID, which is by default traditional-html.

That is why the second link was provided - the second column of that table provides the IDs of all the report templates ZAP covers by default. Since you're looking for JSON, that would mean you should either use the traditional-json or traditional-json-plus. Take a look at the example reports to get a feel for what you're looking for.

Putting this all together, you should be changing your report job to something like:

- type: report
parameters:

template: traditional-json
...

Hope this helps!

Rohit Kumar

unread,

Jun 14, 2022, 6:46:11 AM6/14/22

to OWASP ZAP User Group

Many many thanks everyone 🙌 This worked! :)

Reply all

Reply to author

Forward