loading
loading
Scanners
Run a full scan against an API defined by OpenAPI/Swagger, SOAP, or GraphQL using ZAP.
overview
zap-api-scan points OWASP ZAP at an API definition instead of a browsable site. Feed it an OpenAPI or Swagger spec, a SOAP description, or a GraphQL schema, and it imports every operation, then exercises each one with ZAP's active and passive rules. That coverage matters for APIs, where there is no HTML to crawl and endpoints exist only in the contract.
The -f flag tells ZAP which kind of definition it is reading, and -t takes either a local file or a remote URL such as an openapi.json or a /graphql endpoint. Safe mode (-S) skips the active attack and runs a baseline pass instead, -l and -s control how much of the report you see, and a -c config file marks specific warnings as INFO, IGNORE, or FAIL so a scan can pass or break a build on your terms.
On Trickest, zap-api-scan is a Scanners node that reads an API definition and writes a report file and a folder of results. Run it as dynamic application security testing in a CI-style workflow against a freshly deployed API, or schedule it so every spec change is retested and findings land where the rest of your security results are triaged.
source github.com/zaproxy/zaproxy
use cases
Import a Swagger or OpenAPI definition and let ZAP exercise every operation, surfacing injection, misconfiguration, and exposure issues across the whole contract.
Point the scan at a GraphQL schema URL with the graphql format so ZAP enumerates queries and mutations instead of guessing at routes.
Use safe mode to skip the active attack and run a passive baseline, useful against production APIs where you cannot send live attack traffic.
Wire the scan into a workflow with a config file that fails on chosen rules, so a risky API change blocks the pipeline instead of shipping.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| target-definition | FILE | -t | Target API definition file, OpenAPI or SOAP. |
| target-endpoint-url | STRING | -t | Target API definition URL (e.g. an openapi.json or /graphql endpoint). |
| format | STRING | -f | API format: openapi, soap, or graphql. |
| schema | STRING | --schema | GraphQL schema URL for GraphQL targets. |
| safe-mode | BOOLEAN | -S | Skip the active scan and run a baseline pass instead. |
| level | STRING | -l | Minimum level to show: PASS, IGNORE, INFO, WARN, or FAIL. |
| config_file | FILE | -c | Config file to mark warnings as INFO, IGNORE, or FAIL. |
| context-file | FILE | -n | Context file loaded before scanning, for authenticated runs. |
Showing key inputs. zap-api-scan exposes 17 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| target-endpoint-url | STRING | -t | Target API definition URL, e.g. https://example.com/openapi.json or https://example.com/graphql. |
| target-definition | FILE | -t | Target API definition file, OpenAPI or SOAP. |
| format | STRING | -f | API format: openapi, soap, or graphql. |
| schema | STRING | --schema | GraphQL schema URL, e.g. https://example.com/schema.graphqls. |
| safe-mode | BOOLEAN | -S | Safe mode: skip the active scan and perform a baseline scan instead. |
| level | STRING | -l | Minimum level to show: PASS, IGNORE, INFO, WARN, or FAIL; use with -s to hide example URLs. |
| short-output | BOOLEAN | -s | Short output format: do not show PASSes or example URLs. |
| config_file | FILE | -c | Config file used to mark warnings as INFO, IGNORE, or FAIL. |
| context-file | FILE | -n | Context file loaded before scanning the target, for authenticated runs. |
| user | STRING | -U | Username to use for authenticated scans; must be defined in the given context file. |
| ajax | BOOLEAN | -j | Use the Ajax spider in addition to the traditional one. |
| alpha | BOOLEAN | -a | Include the alpha active and passive scan rules as well. |
| debug | BOOLEAN | -d | Show debug messages in stdout. |
| delay | STRING | -D | Delay in seconds to wait for passive scanning. |
| max-time | STRING | -T | Max time in minutes to wait for ZAP to start and the passive scan to run. |
| override | STRING | -O | Hostname to override in the (remote) OpenAPI spec. |
| zap-options | STRING | -z | Raw ZAP command line options passed through to the scanner. |
example
# scan a remote OpenAPI definition and gate on chosen ruleszap-api-scan.py -t https://example.com/openapi.json -f openapi -c api-rules.conf -l WARNTotal of 47 URLsPASS: Cookie No HttpOnly Flag [10010]PASS: Re-examine Cache-control Directives [10015]WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 12WARN-NEW: Server Leaks Version Information via "Server" HTTP Response Header Field [10036] x 8FAIL-NEW: SQL Injection [40018] x 1 http://example.com/api/v3/products?id=1FAIL-NEW: Cross Site Scripting (Reflected) [40012] x 2 http://example.com/api/v3/search?q=testFAIL-NEW: 2 WARN-NEW: 2 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 61guidance
Use zap-api-scan when you have an API contract (OpenAPI, SOAP, or GraphQL) and want ZAP to test every operation it defines. For a browser-facing web app with pages to crawl, use zap-full-scan instead. For a quick template-based check, reach for nuclei.
ZAP against a crawlable web app rather than an API contract. Use it for sites, not specs.
Drives ZAP from one YAML plan, including API imports. More flexible, more setup.
Black-box web and API scanner. A lighter alternative when you do not need ZAP's rule depth.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
An API spec feeds zap-api-scan, which imports every operation, tests it with ZAP, and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.