Automation Framework

Asmir Sinanovic

unread,

Mar 19, 2025, 6:12:34 AMMar 19

to ZAP User Group

Hi,

Currently, I'm using ZAP by calling its APIs to create context, filter alerts, start scans, and generate reports - everything works just fine. I'm running it through CI/CD in Docker, and it's a fully automated process.

Now, I'm exploring the switch to the automation framework but have a question regarding the implementation. In my current setup, I run a Playwright script after the alert filters step to generate traffic, and once the Playwright part is done, I continue with ZAP APIs (to scan and generate reports). So, my question is: what is the best way to achieve the same using the automation framework? Should I use the script job (standalone) to add and run the Playwright part, or should I handle it by having multiple config files that would refer to the same session if possible (run config to create the environment and filter alerts, then run Playwright, and then run the ZAP config again referencing the same session to start scans and generate reports)? Is there any other, better approach?

Thank you in advance!

Best regards,

Asmir

James L

unread,

Mar 24, 2025, 12:26:44 PMMar 24

to ZAP User Group

Hi Asmir,

I'm not super familiar with Playwright but I do use AF so hopefully my suggestion is valid...

I would proxy Playwright through zap in one stage/container and start up ZAP AF in another parallel stage/container. In the ZAP stage you pull your src controlled config files (templated is best if you are dealing with a lot of apps). I use sed to substitute the template file with one built based on the params selected at run time. This way you can onboard new applications easily, but it might not be worth it for a one off.

separating the playwright and zap into separate containers also makes it easier to keep images up to date.

I hope this gives you some ideas :-)

Simon Bennetts

unread,

Mar 24, 2025, 1:22:17 PMMar 24

to ZAP User Group

I agree with James - I would keep ZAP and playwright separate.

The delay job in the AF is designed for unit test integration - it allows you to pausr the ZAP AF plan until your tests have completed.

Cheers,

Simon

Asmir Sinanovic

unread,

Mar 26, 2025, 6:15:46 AMMar 26

to ZAP User Group

Hi,

That's my intention, to have two services. That is the case even today with ZAP API. However, I'm yet to find a good solution with AF, because I need to pass ZAP CA certificate to playwright. Delay job will come in handy when it comes to synchronizing parallel services (once I start zap service it should wait until traffic generation using playwright service is finalized), but I need to pass ZAP's certificate to playwright so that scripts can pick it up and set it in the browser. So far, I haven't found a solution to download certificate through AF.

Appreciate your input!

BR,

Asmir

James L

unread,

Mar 27, 2025, 12:33:16 PMMar 27

to ZAP User Group

You can set the ZAP root CA with the -config or -configfile arguments at CLI runtime. Then share the same cert with playwright.

Simon Bennetts

unread,

Apr 1, 2025, 9:24:16 AMApr 1

to ZAP User Group

You can export the ZAP certificate from the command line https://www.zaproxy.org/docs/desktop/addons/network/cmdline/

You will need to start ZAP with the same configuration file.

If you are recreating the ZAP env each time then you would do something like:

./zap.sh -dir test -cmd -certpubdump
./zap.sh -dir test -cmd -autorun myplan.yaml

Cheers,

Simon

Reply all

Reply to author

Forward