Running zap scanner from local docker on Windows

[Stan Smith]

Hello, I am trying to run zap locally by doing the following:

1. docker pull owasp/zap2docker-stable:latest
2. docker run -v C:\Users\ssmith4\git\zap\ -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh -cmd -autorun /zap/zap.yaml"
   

I get this error:

Cannot access file: /zap/zap.yaml

Not sure what I'm doing wrong. Any ideas?

My zap.yaml from C:\Users\ssmith4\git\zap\ path has the following:

---

env:

  contexts:

  - name: "Jigsaw Basic"

    urls:

    - "https://atl.cld.prd.ust.doj.gov/bitbucket"

    includePaths:

    - "https://atl.cld.prd.ust.doj.gov/bitbucket.*"

    excludePaths: []

    sessionManagement:

      method: "http"

      parameters: {}

  parameters:

    failOnError: false

    failOnWarning: true

    progressToStdout: true

  vars: {}

jobs:

- parameters:

    user: "guest"

  requests:

  - url: "https://atl.cld.prd.ust.doj.gov/bitbucket"

    name: ""

    method: ""

    data: ""

    responseCode: 200

  - url: "https://atl.cld.prd.ust.doj.gov/bitbucket/projects/ANS"

    name: ""

    method: ""

    data: ""

    responseCode: 200

  name: "requestor"

  type: "requestor"

- parameters:

    maxDuration: 0

  name: "passiveScan-wait1"

  type: "passiveScan-wait"

[Charles Williams]

Might be that you need to mount to /zap/wrk since you're using the packaged scan. It is looking for your YAML file in the Docker image instance as it runs, and since it isn't mounted it can't find it.

Try something like this (might need to mess with backslashes and stuff like that). It mounts your working dir to /zap/wrk and (should!) allow your instance to access your zap.yaml: 

docker run -v C:\Users\ssmith4\git\zap\:\zap\wrk\:rw -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh -cmd -autorun \zap\wrk\zap.yaml"

For reference, pulling this from the docs: https://www.zaproxy.org/docs/docker/diagnosing-problems/#cannot-access-created-files

Hope this helps!

[Stan Smith]

That command was pretty close! As you said, messing with backslashes ended up getting to the correct command:

docker run -v C:\Users\ssmith4\git\zap\:/zap/wrk/:rw -t owasp/zap2docker-stable bash -c "zap.sh -cmd -addonupdate; zap.sh -cmd -autorun /zap/wrk/zap.yaml"

Thanks!