ZAP (Zed Attack Proxy) is the world’s most widely used open-source web application security scanner.
With 14,700+ GitHub stars, 2,500+ forks, and over 229 contributors, ZAP has earned its reputation as the go-to free DAST solution. The project is actively maintained with version 2.17.0 released in December 2025, written primarily in Java (73% of the codebase).
Maintained by a dedicated international team of security professionals and now supported by Checkmarx, ZAP provides comprehensive DAST capabilities completely free of charge.
The tool serves both beginners learning application security and professional penetration testers conducting assessments.
What is ZAP?
ZAP functions as an intercepting proxy that sits between your browser and the target application, allowing you to inspect and modify traffic in real-time.
Beyond manual testing, ZAP includes powerful automated scanning capabilities that crawl applications and test for vulnerabilities across the OWASP Top 10 and many other security weaknesses.
The tool earned OWASP Flagship Project status, reflecting its significance and maturity within the security community.
In 2024, Checkmarx partnered with the ZAP project, employing all three project leaders while maintaining ZAP’s commitment to being free and open source under the Apache 2.0 license.
Key Features
Intercepting Proxy
ZAP’s core functionality is its man-in-the-middle proxy that intercepts all HTTP/HTTPS traffic between your browser and target applications.
This enables:
- Real-time inspection of requests and responses
- Manual modification of parameters, headers, and bodies
- Replay of requests with altered values
- Recording of authentication sequences
- SSL/TLS traffic decryption with installed CA certificate
Automated Spider and Scanner
ZAP’s automated scanning combines intelligent spidering with active vulnerability testing:
- Traditional Spider: Follows HTML links and form submissions
- AJAX Spider: Uses a headless browser to discover JavaScript-generated content
- Active Scanner: Executes attack payloads against discovered endpoints
- Passive Scanner: Analyzes proxied traffic for security issues without sending additional requests
API Scanning
ZAP provides dedicated support for API security testing:
# Import OpenAPI specification
zap-cli openapi -f openapi.yaml -t https://api.example.com
# Import GraphQL schema
zap-cli graphql -e https://api.example.com/graphql -s schema.graphql
# Import SOAP WSDL
zap-cli soap -f service.wsdl -t https://api.example.com/soap
Automation Framework
The Automation Framework provides a YAML-based approach to defining scan configurations:
env:
contexts:
- name: "Default Context"
urls:
- "https://example.com"
includePaths:
- "https://example.com/.*"
excludePaths:
- "https://example.com/logout.*"
authentication:
method: "form"
parameters:
loginUrl: "https://example.com/login"
loginRequestData: "username={%username%}&password={%password%}"
verification:
method: "response"
loggedInRegex: "Welcome.*"
users:
- name: "testuser"
credentials:
username: "[email protected]"
password: "testpass123"
jobs:
- type: spider
parameters:
context: "Default Context"
user: "testuser"
maxDuration: 5
- type: spiderAjax
parameters:
context: "Default Context"
user: "testuser"
maxDuration: 5
- type: passiveScan-wait
parameters:
maxDuration: 10
- type: activeScan
parameters:
context: "Default Context"
user: "testuser"
- type: report
parameters:
template: "traditional-html"
reportFile: "zap-report.html"
Extensive Plugin Ecosystem
ZAP’s add-on marketplace provides hundreds of extensions:
- Additional scan rules for specific technologies
- Import/export formats (HAR, OpenAPI, Postman)
- Reporting templates
- Authentication handlers
- Custom scripting capabilities
Installation
Desktop Application
Download the installer for your platform from zaproxy.org:
- Windows: MSI installer or portable ZIP
- macOS: DMG installer
- Linux: DEB, RPM, or portable TAR.GZ
Docker
# Pull the stable image
docker pull zaproxy/zap-stable
# Run ZAP in daemon mode
docker run -u zap -p 8080:8080 -p 8090:8090 \
zaproxy/zap-stable zap.sh -daemon \
-host 0.0.0.0 -port 8080 \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true
# Run a baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
-t https://example.com
Package Managers
# Homebrew (macOS)
brew install --cask zap
# Snap (Linux)
sudo snap install zaproxy --classic
# Chocolatey (Windows)
choco install zap
Command-Line Usage
ZAP provides several command-line scripts for different use cases:
Baseline Scan
Quick passive scan suitable for CI/CD pipelines:
# Basic baseline scan
zap-baseline.py -t https://example.com
# With report generation
zap-baseline.py -t https://example.com \
-r baseline-report.html \
-J baseline-report.json
# With authentication
zap-baseline.py -t https://example.com \
-c baseline-config.prop
Full Scan
Comprehensive active scanning:
# Full scan with spider and active scanner
zap-full-scan.py -t https://example.com
# With AJAX spider
zap-full-scan.py -t https://example.com -j
# With custom configuration
zap-full-scan.py -t https://example.com \
-c fullscan-config.prop \
-r full-report.html
API Scan
Dedicated API security testing:
# OpenAPI scan
zap-api-scan.py -t https://example.com/openapi.json -f openapi
# GraphQL scan
zap-api-scan.py -t https://example.com/graphql -f graphql
# SOAP scan
zap-api-scan.py -t https://example.com/service.wsdl -f soap
CI/CD Integration
GitHub Actions
name: ZAP Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
zap-baseline:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Start application
run: |
docker-compose up -d
sleep 30 # Wait for app to start
- name: ZAP Baseline Scan
uses: zaproxy/[email protected]
with:
target: 'http://localhost:8080'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
- name: Upload HTML Report
uses: actions/upload-artifact@v4
if: always()
with:
name: zap-baseline-report
path: report_html.html
zap-full:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Deploy to staging
run: echo "Deploying to staging..."
- name: ZAP Full Scan
uses: zaproxy/[email protected]
with:
target: '${{ vars.STAGING_URL }}'
rules_file_name: '.zap/rules.tsv'
- name: Upload Report
uses: actions/upload-artifact@v4
if: always()
with:
name: zap-full-report
path: report_html.html
GitLab CI
zap-baseline:
stage: security
image: zaproxy/zap-stable
script:
- mkdir -p /zap/wrk
- zap-baseline.py
-t $CI_ENVIRONMENT_URL
-g gen.conf
-r zap-baseline-report.html
-J zap-baseline-report.json
|| true
artifacts:
paths:
- zap-baseline-report.html
- zap-baseline-report.json
reports:
dast: zap-baseline-report.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
zap-full-scan:
stage: security
image: zaproxy/zap-stable
script:
- mkdir -p /zap/wrk
- zap-full-scan.py
-t $STAGING_URL
-r zap-full-report.html
-J zap-full-report.json
-j
|| true
artifacts:
paths:
- zap-full-report.html
reports:
dast: zap-full-report.json
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
Jenkins Pipeline
pipeline {
agent any
stages {
stage('Deploy') {
steps {
sh 'docker-compose up -d'
sh 'sleep 30'
}
}
stage('ZAP Baseline Scan') {
steps {
sh '''
docker run --rm \
--network host \
-v $(pwd):/zap/wrk:rw \
zaproxy/zap-stable \
zap-baseline.py \
-t http://localhost:8080 \
-r zap-baseline-report.html \
-J zap-baseline-report.json \
|| true
'''
}
}
stage('ZAP Full Scan') {
when {
branch 'main'
}
steps {
sh '''
docker run --rm \
--network host \
-v $(pwd):/zap/wrk:rw \
zaproxy/zap-stable \
zap-full-scan.py \
-t http://localhost:8080 \
-r zap-full-report.html \
-j \
|| true
'''
}
}
}
post {
always {
archiveArtifacts artifacts: 'zap-*.html, zap-*.json'
publishHTML([
allowMissing: true,
reportDir: '.',
reportFiles: 'zap-baseline-report.html',
reportName: 'ZAP Baseline Report'
])
}
}
}
When to Use ZAP
ZAP is an excellent choice for:
- Budget-conscious teams: Organizations that need DAST without licensing costs
- Learning and training: Security professionals learning penetration testing techniques
- CI/CD integration: Teams wanting automated security scanning in pipelines
- Manual penetration testing: Security consultants conducting application assessments
- Open-source projects: Projects that prefer using OSS tooling
Consider commercial alternatives if you need:
- Enterprise support SLAs: Guaranteed response times for critical issues
- Managed scanning: Fully managed DAST services
- Advanced reporting: Executive dashboards and compliance-specific reports
- Proof-based verification: Some commercial tools provide automated proof of exploitability
Comparison with Commercial DAST
| Aspect | ZAP | Commercial DAST |
|---|---|---|
| Cost | Free | Paid |
| Support | Community | Vendor SLA |
| Updates | Community-driven | Vendor-managed |
| Documentation | Extensive wiki | Professional docs |
| Accuracy | Good | Varies by vendor |
| Ease of use | Learning curve | Often polished UI |
| Customization | Highly extensible | Vendor-dependent |
| CI/CD Integration | Excellent | Usually good |
History
ZAP originated as a fork of Paros Proxy in 2010.
Simon Bennetts, the project lead, noted that by 2014 only about 20% of ZAP’s codebase remained from Paros, demonstrating the extensive independent development.
The project achieved OWASP Flagship status and became the most downloaded security tool on GitHub.
In September 2024, Checkmarx partnered with ZAP, employing all three project leaders (Simon Bennetts, Rick Mitchell, and Yiannis Pavlosoglou).
Checkmarx committed to keeping ZAP free and open source while providing resources for continued development and maintenance.
Note: Now branded as ZAP by Checkmarx. In September 2024, Checkmarx joined forces with ZAP and employs all three project leaders. Still free, still open source under Apache v2 license.