AccessDeniedException /zap/wrk/report.html

[Rajat Rokhade]

Hello ZapTeam, 


While running the zap. I encountered an error . Please help to resolve this issue. The zap is assigning the current user id 1001:1001 on the machine to the /zap/wrk folder so I am unable to get the report from the docker scan. 

docker run -u 1000:1000 -w /zap -v $(pwd):/zap/wrk --rm zaproxy/zap-stable:latest zap-baseline.py -t "https://example.com" -a -j -r report.html

2025-12-18 08:50:20,768 Unable to copy yaml file to /zap/wrk/zap.yaml [Errno 13] Permission denied: '/zap/wrk/zap.yaml'
Using the Automation Framework
Total of 5 URLs
PASS: Vulnerable JS Library (Powered by Retire.js) [10003]
PASS: In Page Banner Information Leak [10009]
PASS: Cookie No HttpOnly Flag [10010]
PASS: Cookie Without Secure Flag [10011]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Debug Error Messages [10023]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Off-site Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: HTTP Server Response Header [10036]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: Secure Pages Include Mixed Content [10040]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: Cookie without SameSite Attribute [10054]
PASS: CSP [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header [10061]
PASS: PII Disclosure [10062]
PASS: Base64 Disclosure [10094]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Source Code Disclosure [10099]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Dangerous JS Functions [10110]
PASS: Authentication Request Identified [10111]
PASS: Session Management Response Identified [10112]
PASS: Verification Request Identified [10113]
PASS: Script Served From Malicious Domain (polyfill) [10115]
PASS: ZAP is Out of Date [10116]
PASS: Absence of Anti-CSRF Tokens [10202]
PASS: Full Path Disclosure [110009]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Stats Passive Scan Rule [50003]
PASS: Insecure JSF ViewState [90001]
PASS: Java Serialization Object [90002]
PASS: Sub Resource Integrity Attribute Missing [90003]
PASS: Charset Mismatch [90011]
PASS: Application Error Disclosure [90022]
PASS: WSDL File Detection [90030]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Re-examine Cache-control Directives [10015] x 2
https://example.com (200 OK)
https://example.com/ (200 OK)
WARN-NEW: Missing Anti-clickjacking Header [10020] x 2
https://example.com (200 OK)
https://example.com/ (200 OK)
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 2
https://example.com (200 OK)
https://example.com/ (200 OK)
WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 5
https://example.com (200 OK)
https://example.com/ (200 OK)
https://example.com/favicon.ico (404 Not Found)
https://example.com/robots.txt (404 Not Found)
https://example.com/sitemap.xml (404 Not Found)
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 4
https://example.com (200 OK)
https://example.com/ (200 OK)
https://example.com/favicon.ico (404 Not Found)
https://example.com/sitemap.xml (404 Not Found)
WARN-NEW: Storable and Cacheable Content [10049] x 5
https://example.com (200 OK)
https://example.com/ (200 OK)
https://example.com/favicon.ico (404 Not Found)
https://example.com/robots.txt (404 Not Found)
https://example.com/sitemap.xml (404 Not Found)
WARN-NEW: Retrieved from Cache [10050] x 5
https://example.com (200 OK)
https://example.com/ (200 OK)
https://example.com/favicon.ico (404 Not Found)
https://example.com/robots.txt (404 Not Found)
https://example.com/sitemap.xml (404 Not Found)
WARN-NEW: Permissions Policy Header Not Set [10063] x 5
https://example.com (200 OK)
https://example.com/ (200 OK)
https://example.com/favicon.ico (404 Not Found)
https://example.com/robots.txt (404 Not Found)
https://example.com/sitemap.xml (404 Not Found)
WARN-NEW: Insufficient Site Isolation Against Spectre Vulnerability [90004] x 6
https://example.com (200 OK)
https://example.com/ (200 OK)
https://example.com (200 OK)
https://example.com/ (200 OK)
https://example.com (200 OK)
WARN-NEW: Sec-Fetch-Dest Header is Missing [90005] x 12
https://example.com (200 OK)
https://example.com/robots.txt (404 Not Found)
https://example.com/sitemap.xml (404 Not Found)
https://example.com (200 OK)
https://example.com/robots.txt (404 Not Found)
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 10 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 60
Automation plan failures:
Job report failed to generate report: AccessDeniedException /zap/wrk/report.html

[thc202]

Hi,

Remove the -w argument (also the -u might be redundant now too, it
should be zap if you want to provide it).

Best regards.

On 18/12/2025 08:57, Rajat Rokhade wrote:
> Hello ZapTeam,
>
>
> While running the zap. I encountered an error . Please help to resolve this
> issue. The zap is assigning the current user id 1001:1001 on the machine to
> the /zap/wrk folder so I am unable to get the report from the docker scan.
>
> docker run -u 1000:1000 -w /zap -v $(pwd):/zap/wrk --rm
> zaproxy/zap-stable:latest zap-baseline.py -t "https://example.com" -a -j -r
> report.html
>
>

> *2025-12-18 08:50:20,768 Unable to copy yaml file to /zap/wrk/zap.yaml
> [Errno 13] Permission denied: '/zap/wrk/zap.yaml'*Using the Automation

> * Job report failed to generate report: AccessDeniedException
> /zap/wrk/report.html*
>

[Rajat Rokhade]

Hi 
Its is not about -w options or -u option. The issue is the /zap/wrk folder is getting the id of local machine user. 

[Rajat Rokhade]

Here is a screenshot for reference because of which i think I am getting the AccessDeniedException

[TuanTu Nguyen]

Hi,

In your logs show  Permission denied -> account you run in docker cannot permission -> try again with account root, like below:

docker run -it --user root -w /zap -v $(pwd):/zap/wrk --rm zaproxy/zap-stable:latest zap-baseline.py -t "https://example.com" -a -j -r report.html

Vào lúc 16:46:02 UTC+7 ngày Thứ Năm, 18 tháng 12, 2025, rrokh...@gmail.com đã viết:

[thc202]

Do you know what -w does? That's why it's getting the ID of the local
machine user.

[Rajat Rokhade]

In the screenshot provided above I have not used -w options. Please review the screenshot carefully. 

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/fhE2_C313T8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/5ef92ef2-9c40-45d3-a4bb-4c9175d1a11e%40gmail.com.

[Simon Bennetts]

Docker can be weird with file permisisons.

I've hit this problem before and the easiest solution I've found is to either give full write access to everyone to the directory you're mounting, or to "touch" the report file and give full access to that.

Its not a problem with ZAP, we cannot override filesytem perms in our code :)

Cheers,

Simon