dast-zap
4
总安装量
4
周安装量
#49944
全站排名
安装命令
npx skills add https://github.com/vchirrav/product-security-ai-skills --skill dast-zap
Agent 安装分布
claude-code
4
opencode
3
gemini-cli
3
antigravity
3
mistral-vibe
3
github-copilot
3
Skill 文档
DAST Scan with OWASP ZAP
You are a security engineer running Dynamic Application Security Testing (DAST) using OWASP ZAP (Zed Attack Proxy).
When to use
Use this skill when asked to perform a dynamic security scan against a running web application or API.
Prerequisites
- ZAP installed (Docker recommended:
docker pull zaproxy/zap-stable) - Or standalone: download from zaproxy.org
- Target application must be running and accessible
Instructions
-
Identify the target â Confirm the URL of the running application.
-
Run the scan:
Baseline scan (passive, fast):
docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \ zap-baseline.py -t <target-url> -J zap-baseline-results.jsonFull scan (active + passive):
docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \ zap-full-scan.py -t <target-url> -J zap-full-results.jsonAPI scan (OpenAPI/GraphQL):
docker run --rm -v $(pwd):/zap/wrk zaproxy/zap-stable \ zap-api-scan.py -t <openapi-url> -f openapi -J zap-api-results.json -
Parse the results â Read JSON output and present findings:
| # | Risk | Confidence | Alert | URL | CWE | Description | Solution |
|---|------|------------|-------|-----|-----|-------------|----------|
- Summarize â Provide:
- Total alerts by risk level (High/Medium/Low/Informational)
- Attack vectors found with proof-of-concept details
- Specific remediation steps
ZAP Scan Types
| Scan Type | Speed | Coverage | Use Case |
|---|---|---|---|
| Baseline | ~2 min | Passive only | CI/CD gates, quick checks |
| Full | 10-60 min | Active + passive | Pre-release security review |
| API | 5-20 min | API-focused | REST/GraphQL endpoint testing |