# Run OWASP ZAP DAST Scans

Web teams need repeatable runtime security checks before releases. This skill guides authorized OWASP ZAP scans, authenticated testing, CI setup, and report review.

## Install

```bash
npx skillstore add agentsecops/dast-zap
```

## Metadata

- - Slug: agentsecops-dast-zap
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/appsec/dast-zap
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, network, filesystem, env\_access
- - Quality score: 50
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/agentsecops-dast-zap
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-dast-zap/manifest

## Capabilities

- Explains baseline, full, API, and authenticated OWASP ZAP scan workflows.
- Provides Docker command patterns for passive and active DAST scans.
- Includes GitHub Actions and GitLab CI templates for automated scanning.
- Maps common ZAP findings to OWASP Top 10 and CWE categories.
- Guides false positive review, report generation, and security gate thresholds.

## Use Cases

- Pre-release web scan: Run baseline and active ZAP checks against staging before approving a release.
- Pipeline security gate: Add ZAP scan templates to CI and fail builds on high-risk findings.
- Authenticated API assessment: Test protected REST, GraphQL, or SOAP APIs with scoped credentials and generated reports.

## Prompt Templates

### Plan a baseline scan

```
Help me plan an authorized OWASP ZAP baseline scan for my staging web application. Include scope, command options, and report outputs.
```

### Add CI scanning

```
Create a CI plan for OWASP ZAP scanning in GitHub Actions or GitLab. Include artifacts, thresholds, and safe target handling.
```

### Configure authenticated testing

```
Guide me through an authenticated OWASP ZAP scan for a form-login application. Use environment variables for credentials and explain validation checks.
```

### Review scan results

```
Help me triage OWASP ZAP findings by risk, false-positive likelihood, OWASP Top 10 mapping, and remediation priority.
```

## Limitations

- Requires explicit authorization before scanning any target application.
- Does not replace manual penetration testing or exploit validation.
- Needs OWASP ZAP, Docker, and network access configured by the user.
- Scan quality depends on target scope, authentication, and application coverage.

## Best Practices

- Scan only systems where you have written authorization and a defined scope.
- Start with passive baseline scans before enabling active attack checks.
- Store credentials in secret managers or environment variables, never in templates.

## Anti Patterns

- Running active scans against production without approval or rate limits.
- Committing ZAP context files that contain real usernames, passwords, or tokens.
- Failing builds on every alert before reviewing false positives and risk context.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T05:27:19.657\+00:00
- - Summary: Static analysis produced many command, network, filesystem, and secret-related matches, but most are documented OWASP ZAP examples and CI templates. No prompt injection or confirmed malicious exfiltration was found. The real risk is that the skill enables active security scanning and executable automation, so users need authorization and review before use.

## Stats

- - Views: 219
- - Downloads: 9
- - Favorites: 0
- - Popularity score: 0