OWASP (Open Web Application Security Project) is a non‑profit that publishes free security tools.
ZAP (Zed Attack Proxy) is its flagship open‑source web application and API scanner.
Why ZAP is valuable
| Feature | What it does | Why it matters |
|---|---|---|
| Web + API scanning | Scans both browser‑based sites and REST/GraphQL APIs | Covers the two most common attack surfaces |
| Automated and interactive | Performs spidering, passive, and active scans | Detects a wide range of bugs quickly |
| Open source & actively maintained | Freely available, community‑supported | No licensing costs; community‑driven updates |
| Enterprise‑ready | Generates detailed reports, integrates with CI | Fits into professional DevSecOps pipelines |
Goal : Execute a Dynamic Application Security Test (DAST) against a web application during every CI run and produce an artifact report.
In .gitlab-ci.yml add a stage named run_zap:
`stages:
run_zap: stage: run_zap image: maven:3.8.5-openjdk-11-slim script: | # Update apt, install curl and wget apt-get update -y && apt-get install -y curl wget # Download ZAP for Linux wget <https://github.com/zaproxy/zaproxy/releases/download/v2.11.1/ZAP_2.11.1_Linux.tar.gz> mkdir zap tar -xzf ZAP_2.11.1_Linux.tar.gz -C zap cd zap/ZAP_2.11.1 # Run ZAP in CLI mode against the test site ./zap.sh -cmd -quickurl <http://demo.example.com> \ -quickprogress -quickout zap_report.html artifacts: paths: - zap_report.html name: zap_report.html
We use the Maven image because it already has Java and Maven installed; the rest of the steps install ZAP, run it in command‑line (-cmd) mode, point it at http://demo.example.com (replace this URL with the target application you are checking), and generate zap_report.html.
zap_report.html.