loading
loading
Scanners
Run ZAP via a single YAML file.
overview
The ZAP Automation Framework drives OWASP ZAP from one declarative YAML plan instead of a fixed scan script. A plan lists jobs in order: import an OpenAPI or GraphQL definition, spider the site, run passive and active scan rules, then write a report. Because the plan is a file, the same scan reproduces exactly and lives in version control next to the code it tests.
The node inputs supply that plan and shape how it runs. The autorun file holds the jobs, openapifile and openapiurl import an API definition, graphqlfile and graphqlurl bring in a GraphQL schema, and config patches a single key=value setting without touching the plan. Silent mode stops unsolicited requests, lowmem backs the scan with a database instead of RAM, and certload adds a Root CA so ZAP can proxy TLS traffic.
On Trickest, zap-automation-framework is a Scanners node that reads a plan plus optional input files and writes a file and a folder of results. Reach for it when one baseline or full scan is too blunt and you need an ordered, repeatable ZAP run wired into a workflow that spiders, scans, and hands findings downstream for triage.
source github.com/zaproxy/zaproxy
use cases
Define spider, active-scan, and reporting jobs in one YAML plan so every run executes the same steps in the same order, ready to commit alongside the target's source.
Import a contract with openapifile, openapiurl, graphqlfile, or graphqlurl so ZAP walks every documented endpoint before it runs its active rules.
Pass -config key=value overrides to change proxy host, port, or a rule threshold for one run while the base plan stays untouched.
Combine silent and lowmem so a multi-job ZAP plan runs unattended in CI and lands its report where the rest of the workflow triages findings.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| autorun | FILE | -autorun | Run the automation jobs specified in the YAML plan file. |
| file | FILE | --input-file | A file supplied as input to the automation plan. |
| openapifile | FILE | -openapifile | Import an OpenAPI definition from a file. |
| openapiurl | STRING | -openapiurl | Import an OpenAPI definition from a URL. |
| graphqlfile | FILE | -graphqlfile | Import a GraphQL schema from a file. |
| config | STRING | -config | Override a single key=value pair in the configuration file. |
| quickurl | STRING | -quickurl | URL to attack in ZAP's quick-scan mode, e.g. http://www.example.com. |
| lowmem | BOOLEAN | -lowmem | Back the scan with the database instead of memory (experimental). |
Showing key inputs. zap-automation-framework exposes 23 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| file | FILE | --input-file | A file containing input to be used with automation plans. |
| host | STRING | -host | Overrides the host of the main proxy specified in the configuration file. |
| port | STRING | -port | Overrides the port of the main proxy specified in the configuration file. |
| notel | BOOLEAN | -notel | Turns off telemetry calls. |
| config | STRING | -config | Overrides the specified key=value pair in the configuration file. |
| folder | FOLDER | --input-folder | A folder containing files to be used as input with automation plans. |
| lowmem | BOOLEAN | -lowmem | Use the database instead of memory as much as possible (experimental). |
| script | FILE | -script | Run the specified script from the command line. |
| silent | BOOLEAN | -silent | Ensures ZAP does not make any unsolicited requests, including checking for updates. |
| autorun | FILE | -autorun | Run the automation jobs specified in the file. |
| session | FILE | -session | Opens the given session after starting ZAP. |
| certload | FILE | -certload | Loads the Root CA certificate from the specified file name. |
| nostdout | BOOLEAN | -nostdout | Disables the default logging through standard output. |
| quickurl | STRING | -quickurl | The URL to attack, e.g. http://www.example.com. |
| configfile | FILE | -configfile | Overrides the key=value pairs with those in the specified properties file. |
| graphqlurl | STRING | -graphqlurl | Imports a GraphQL schema from a URL. |
| openapiurl | STRING | -openapiurl | Imports an OpenAPI definition from the specified URL. |
| graphqlfile | FILE | -graphqlfile | Imports a GraphQL schema from a file. |
| openapifile | FILE | -openapifile | Imports an OpenAPI definition from the specified file name. |
| graphqlendurl | STRING | -graphqlendurl | Sets the GraphQL endpoint URL. |
| quickprogress | BOOLEAN | -quickprogress | Display progress bars while scanning. |
| experimentaldb | BOOLEAN | -experimentaldb | Use the experimental generic database code (still experimental). |
| openapitargeturl | STRING | -openapitargeturl | The target URL to override the server URL present in the OpenAPI definition. Refer to the help for supported format. |
example
# headless run of a ZAP automation plan (its jobs target https://example.com)zap.sh -cmd -autorun plan.yaml -config connection.timeoutInSecs=120 -silent -lowmemAutomation Framework: loading plan from /zap/wrk/plan.yamlJob openapi startedJob openapi added 24 URLs from https://example.com/openapi.jsonJob spider startedJob spider finished, 61 URLs found under https://example.comJob activeScan startedActive Scan progress: 100% (61/61 URLs)Job activeScan finished, 3 alerts raisedJob report startedReport written to /zap/wrk/report-example.htmlguidance
Use zap-automation-framework when a single ZAP scan type is not enough and you need a multi-step, version-controlled plan. For a one-shot web app scan use zap-full-scan, and for a one-shot API scan use zap-api-scan, both of which need no YAML plan.
One full ZAP scan against a web app. Simpler when you do not need a multi-job plan.
One ZAP scan against an API definition. Use it for a single API target.
Black-box web and API scanner. A lighter alternative without ZAP's plan model.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A YAML plan feeds zap-automation-framework, which runs each ZAP job in order and writes the findings as a queryable output.
Facts on this page come from the live Trickest tool library.