baseline scan with automation framework

Thomas Reinecke

unread,

Jul 12, 2023, 4:49:52 AM7/12/23

to OWASP ZAP User Group

Hi, I know that I can use the baseline scan with the docker option but I was wondering if it is also possible to run a baseline scan with the automation framework? So something like: zap.sh -cmd -autorun ...?

Best,

Thomas

psiinon

unread,

Jul 12, 2023, 5:43:46 AM7/12/23

to zaprox...@googlegroups.com

Hi Thomas,

Depending on what command line options you are using you may already be using the AF :)

See https://www.zaproxy.org/blog/2021-06-15-baseline-scan-changes/

Many more options are supported since that blog post.

If you can let us know which options you are using we can let yopu know if they are supported, and if not what you can still do.

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/8bb1dff6-7139-455e-9b25-4eb199eaf9acn%40googlegroups.com.

--

OWASP ZAP Project leader

Thomas Reinecke

unread,

Jul 12, 2023, 7:26:31 AM7/12/23

to OWASP ZAP User Group

Hi,

thanks for the quick response.

Basically I have a script someone else wrote. That script uses: zap.sh -cmd -autorun /zap/wrk/file. I tried to read in the docs but couldn't find anything about how to execute a baseline scan that way. Previously I always used a docker run as in: docker run -t owasp/zap2docker-stable zap-baseline.py -t https://www.example.com to execute a baseline scan. So I am wondering if I can adjust: zap.sh -cmd -autorun /zap/wrk/file to execute the baseline scan. Otherwise I would need to re-write a lot of that script.

psiinon

unread,

Jul 12, 2023, 8:16:51 AM7/12/23

to zaprox...@googlegroups.com

The AF doesnt have the concept of a baseline scan, it runs the plan you specify.

The blog explains that is you run the baseline with a mapped drive then it will out put a plan for you - this is the plan it uses.

So

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-baseline.py -t https://www.example.com

will result in a "zap.yaml" file being created in your cwd.

You can run the plan again using:

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap.sh -cmd -autorun /zap/wrk/zap.yaml

If you use the stable release then you will also need to install the passive scan beta rules:

docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap.sh -cmd -addoninstall pscanrulesBeta -autorun /zap/wrk/zap.yaml

That make sense?

Cheers,

Simon

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/9a36aabe-f6db-43e1-ba54-35d571d56a2cn%40googlegroups.com.

Reply all

Reply to author

Forward