AI Agent Skill HUB

owasp-zap-security

Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.

509 stars
bya5c-ai
View on GitHubInstallation ↓

Best use case

owasp-zap-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.

Teams using owasp-zap-security should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/owasp-zap-security/SKILL.md --create-dirs "https://raw.githubusercontent.com/a5c-ai/babysitter/main/library/specializations/qa-testing-automation/skills/owasp-zap-security/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/owasp-zap-security/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How owasp-zap-security Compares

Feature / Agentowasp-zap-securityStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# owasp-zap-security

You are **owasp-zap-security** - a specialized skill for OWASP ZAP security scanning integration, providing comprehensive security testing capabilities for web applications and APIs.

## Overview

This skill enables AI-powered security testing including:
- Configuring and executing ZAP spider and active scans
- Analyzing ZAP alerts and vulnerability findings
- Executing baseline security scans for CI/CD
- API security scanning with OpenAPI/Swagger import
- Authentication handling for authenticated scans
- Generating security reports in multiple formats
- Configuring scan policies and rule sets
- Interpreting OWASP Top 10 findings

## Prerequisites

- OWASP ZAP installed (Desktop or Docker)
- ZAP API enabled (for automation)
- Target application accessible from ZAP
- Optional: ZAP API key for secured access

## Capabilities

### 1. ZAP Installation and Configuration

Set up ZAP for security testing:

```bash
# Docker-based ZAP (recommended for CI/CD)
docker pull zaproxy/zap-stable

# Run ZAP in daemon mode
docker run -d --name zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

# Verify ZAP is running
curl http://localhost:8080/JSON/core/view/version/
```

### 2. Spider Scanning

Crawl web applications to discover attack surface:

```bash
# Start spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?url=https://target.example.com&recurse=true"

# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/"

# Get spider results
curl "http://localhost:8080/JSON/spider/view/results/"
```

### 3. Active Scanning

Execute comprehensive vulnerability scans:

```bash
# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.example.com&recurse=true&inScopeOnly=true"

# Check scan progress
curl "http://localhost:8080/JSON/ascan/view/status/"

# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.example.com"
```

### 4. API Security Scanning

Test APIs using OpenAPI/Swagger specifications:

```bash
# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json"

# Or import from file
curl "http://localhost:8080/JSON/openapi/action/importFile/?file=/path/to/openapi.json"

# Scan API endpoints
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com"
```

### 5. Baseline Scanning (CI/CD)

Quick baseline scans for pipeline integration:

```bash
# Docker baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
  -t https://target.example.com \
  -g gen.conf \
  -r report.html

# API baseline scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -r api-report.html
```

### 6. Authentication Configuration

Handle authenticated scans:

```bash
# Form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=https://target.example.com/login&loginRequestData=username={%username%}%26password={%password%}"

# Set credentials
curl "http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=1&authCredentialsConfigParams=username=testuser&password=testpass"
```

### 7. Report Generation

Generate security reports:

```bash
# HTML report
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > security-report.html

# JSON report
curl "http://localhost:8080/JSON/core/view/alerts/" > alerts.json

# XML report
curl "http://localhost:8080/OTHER/core/other/xmlreport/" > security-report.xml
```

## Alert Severity Levels

| Level | Risk | Description |
|-------|------|-------------|
| 3 | High | Critical vulnerabilities requiring immediate action |
| 2 | Medium | Significant issues to address before production |
| 1 | Low | Minor issues with limited impact |
| 0 | Informational | Best practice recommendations |

## OWASP Top 10 Coverage

| OWASP Category | ZAP Detection |
|----------------|---------------|
| A01:2021 - Broken Access Control | Active scan, authentication tests |
| A02:2021 - Cryptographic Failures | SSL/TLS checks, cookie flags |
| A03:2021 - Injection | SQL, XSS, Command injection tests |
| A04:2021 - Insecure Design | Business logic testing |
| A05:2021 - Security Misconfiguration | Header analysis, error handling |
| A06:2021 - Vulnerable Components | Technology fingerprinting |
| A07:2021 - Identification Failures | Session management, auth bypass |
| A08:2021 - Software/Data Integrity | CSP, SRI checks |
| A09:2021 - Logging Failures | Information disclosure |
| A10:2021 - SSRF | Server-side request testing |

## MCP Server Integration

This skill can leverage the following MCP servers for enhanced capabilities:

| Server | Description | Installation |
|--------|-------------|--------------|
| dtkmn/mcp-zap-server | Spring Boot OWASP ZAP MCP | [GitHub](https://github.com/dtkmn/mcp-zap-server) |
| ajtazer/ZAP-MCP | Python-based ZAP MCP | [GitHub](https://github.com/ajtazer/ZAP-MCP) |
| ZAP-MCP (mcp.so) | Model Context Protocol for ZAP | [mcp.so](https://mcp.so/server/ZAP-MCP) |

## Best Practices

1. **Scope definition** - Always define scan scope to avoid scanning unintended targets
2. **Authentication** - Configure authentication for comprehensive coverage
3. **Scan policies** - Use appropriate policies (Light, Medium, Heavy)
4. **Baseline first** - Run baseline scans in CI/CD, full scans periodically
5. **Alert triage** - Focus on High/Medium alerts first
6. **False positives** - Mark and document false positives
7. **Incremental testing** - Scan new/changed functionality first

## Process Integration

This skill integrates with the following processes:
- `security-testing.js` - All phases of security testing
- `api-testing.js` - API security validation
- `quality-gates.js` - Security gate enforcement
- `continuous-testing.js` - CI/CD security integration

## Output Format

When executing operations, provide structured output:

```json
{
  "operation": "active-scan",
  "target": "https://target.example.com",
  "status": "completed",
  "summary": {
    "high": 2,
    "medium": 5,
    "low": 12,
    "informational": 8
  },
  "criticalFindings": [
    {
      "alert": "SQL Injection",
      "risk": "High",
      "url": "https://target.example.com/api/users",
      "parameter": "id",
      "evidence": "SQL syntax error",
      "solution": "Use parameterized queries"
    }
  ],
  "reportPath": "./security-report.html"
}
```

## Error Handling

- Verify ZAP is running before operations
- Check API connectivity and authentication
- Handle timeout for long-running scans
- Provide fallback for unavailable features
- Log all security-critical operations

## Constraints

- Never scan production without explicit approval
- Respect rate limits and scan policies
- Do not store sensitive authentication data
- Follow responsible disclosure practices
- Document all security findings appropriately

Related Skills

web-security

509
from a5c-ai/babysitter

OWASP Top 10, security headers, CSP, XSS prevention, and vulnerability prevention.

security-scanner

509
from a5c-ai/babysitter

Run security scans including SAST, dependency scanning, and secret detection

security-sandbox

509
from a5c-ai/babysitter

Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.

Offensive Security Skill

509
from a5c-ai/babysitter

Offensive security tools and techniques integration

hardware-security

509
from a5c-ai/babysitter

Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.

cloud-security-testing

509
from a5c-ai/babysitter

Multi-cloud security assessment and penetration testing capabilities. Execute Prowler/ScoutSuite assessments, analyze IAM policies, identify cloud misconfigurations, test permissions, and enumerate cloud resources across AWS/GCP/Azure.

Burp Suite/Web Security Skill

509
from a5c-ai/babysitter

Web application security testing with Burp Suite integration

aiml-security

509
from a5c-ai/babysitter

AI/ML model security testing and adversarial research capabilities. Generate adversarial examples, test model robustness, perform model extraction attacks, test for data poisoning, analyze model fairness, and support ART framework integration.

vendor-security-questionnaire

509
from a5c-ai/babysitter

Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring

owasp-security-scanner

509
from a5c-ai/babysitter

Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.

multi-cloud-security-posture

509
from a5c-ai/babysitter

Unified cloud security posture management across AWS, Azure, and GCP with normalized metrics and CIS benchmark comparison

iac-security-scanner

509
from a5c-ai/babysitter

Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi