How to scan local applications using Docker ZAP?

[Koyo Isono]

Hi.

I tried to scan local applications which are built by docker-compose with Docker ZAP.

However, it did not work well.

There are two sites that I want to scan. 

1. http://aaa.local

2. http://bbb.local

I edited /etc/hosts file to resolve hostname on my Mac.

```

127.0.0.1  aaa.local

127.0.0.1  bbb.local`

```

I use nginx to handle access to my local applications.

`aaa.local` and `bbb.local` are on the same network called `backend`.

when I use the following command:

docker run -p 8090:8090 --add-host=aaa.local:127.0.0.1 --net=backend -t owasp/zap2docker-stable zap-baseline.py -t http://aaa.local/login

I get this error:

Automation plan failures:

Job spider failed to access URL http://aaa.local/login : Connection refused (Connection refused)

 Job spider failed to access URL http://aaa.local/ : Connection refused (Connection refused)

I think that docker zap cannot see /etc/hosts file on my Mac.

Therefore, it cannot understand what `http://aaa.local/` is.

Is there any way to scan local applications using Docker ZAP?

If I do not have enough informations to specify the cause of it, please let me know.

Thank you.

Best Regards.

Koyo

[kingthorin+owaspzap]

Are they resolvable from within the docker container? I bet they aren't ;)

https://www.zaproxy.org/docs/docker/about/

Check the headings: " Scanning an app running on the host OS" and "Scanning an app running in another Docker container"

[Koyo Isono]

Thank you for your message.

I changed docker command a little, and it works!

Seemingly, `--add-host` option is not necessary.

```

docker run -p 8090:8090 --net=backend -t owasp/zap2docker-stable zap-baseline.py -t http://aaa.local/login

```

Best Regards.

Koyo.

2022年5月2日月曜日 20:31:54 UTC+9 kingthorin+owaspzap: