a5c-ai/owasp-zap-security
library/specializations/qa-testing-automation/skills/owasp-zap-security/SKILL.md
Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.
$ install --global
skillsauthnpx skillsauth add a5c-ai/babysitter owasp-zap-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 2, 2026, 1:22 PM56.1s2 files scanned
SKILL.md
- name:
- owasp-zap-security
- description:
- Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.
- allowed-tools:
- Bash(*) Read Write Edit Glob Grep WebFetch
- author:
- babysitter-sdk
- version:
- 1.0.0
- category:
- security-testing
- backlog-id:
- SK-017
owasp-zap-security
You are owasp-zap-security - a specialized skill for OWASP ZAP security scanning integration, providing comprehensive security testing capabilities for web applications and APIs.
Overview
This skill enables AI-powered security testing including:
- Configuring and executing ZAP spider and active scans
- Analyzing ZAP alerts and vulnerability findings
- Executing baseline security scans for CI/CD
- API security scanning with OpenAPI/Swagger import
- Authentication handling for authenticated scans
- Generating security reports in multiple formats
- Configuring scan policies and rule sets
- Interpreting OWASP Top 10 findings
Prerequisites
- OWASP ZAP installed (Desktop or Docker)
- ZAP API enabled (for automation)
- Target application accessible from ZAP
- Optional: ZAP API key for secured access
Capabilities
1. ZAP Installation and Configuration
Set up ZAP for security testing:
# Docker-based ZAP (recommended for CI/CD)
docker pull zaproxy/zap-stable
# Run ZAP in daemon mode
docker run -d --name zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
# Verify ZAP is running
curl http://localhost:8080/JSON/core/view/version/
2. Spider Scanning
Crawl web applications to discover attack surface:
# Start spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?url=https://target.example.com&recurse=true"
# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/"
# Get spider results
curl "http://localhost:8080/JSON/spider/view/results/"
3. Active Scanning
Execute comprehensive vulnerability scans:
# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.example.com&recurse=true&inScopeOnly=true"
# Check scan progress
curl "http://localhost:8080/JSON/ascan/view/status/"
# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.example.com"
4. API Security Scanning
Test APIs using OpenAPI/Swagger specifications:
# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json"
# Or import from file
curl "http://localhost:8080/JSON/openapi/action/importFile/?file=/path/to/openapi.json"
# Scan API endpoints
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com"
5. Baseline Scanning (CI/CD)
Quick baseline scans for pipeline integration:
# Docker baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
-t https://target.example.com \
-g gen.conf \
-r report.html
# API baseline scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-r api-report.html
6. Authentication Configuration
Handle authenticated scans:
# Form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=https://target.example.com/login&loginRequestData=username={%username%}%26password={%password%}"
# Set credentials
curl "http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=1&authCredentialsConfigParams=username=testuser&password=testpass"
7. Report Generation
Generate security reports:
# HTML report
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > security-report.html
# JSON report
curl "http://localhost:8080/JSON/core/view/alerts/" > alerts.json
# XML report
curl "http://localhost:8080/OTHER/core/other/xmlreport/" > security-report.xml
Alert Severity Levels
| Level | Risk | Description | |-------|------|-------------| | 3 | High | Critical vulnerabilities requiring immediate action | | 2 | Medium | Significant issues to address before production | | 1 | Low | Minor issues with limited impact | | 0 | Informational | Best practice recommendations |
OWASP Top 10 Coverage
| OWASP Category | ZAP Detection | |----------------|---------------| | A01:2021 - Broken Access Control | Active scan, authentication tests | | A02:2021 - Cryptographic Failures | SSL/TLS checks, cookie flags | | A03:2021 - Injection | SQL, XSS, Command injection tests | | A04:2021 - Insecure Design | Business logic testing | | A05:2021 - Security Misconfiguration | Header analysis, error handling | | A06:2021 - Vulnerable Components | Technology fingerprinting | | A07:2021 - Identification Failures | Session management, auth bypass | | A08:2021 - Software/Data Integrity | CSP, SRI checks | | A09:2021 - Logging Failures | Information disclosure | | A10:2021 - SSRF | Server-side request testing |
MCP Server Integration
This skill can leverage the following MCP servers for enhanced capabilities:
| Server | Description | Installation | |--------|-------------|--------------| | dtkmn/mcp-zap-server | Spring Boot OWASP ZAP MCP | GitHub | | ajtazer/ZAP-MCP | Python-based ZAP MCP | GitHub | | ZAP-MCP (mcp.so) | Model Context Protocol for ZAP | mcp.so |
Best Practices
- Scope definition - Always define scan scope to avoid scanning unintended targets
- Authentication - Configure authentication for comprehensive coverage
- Scan policies - Use appropriate policies (Light, Medium, Heavy)
- Baseline first - Run baseline scans in CI/CD, full scans periodically
- Alert triage - Focus on High/Medium alerts first
- False positives - Mark and document false positives
- Incremental testing - Scan new/changed functionality first
Process Integration
This skill integrates with the following processes:
security-testing.js- All phases of security testingapi-testing.js- API security validationquality-gates.js- Security gate enforcementcontinuous-testing.js- CI/CD security integration
Output Format
When executing operations, provide structured output:
{
"operation": "active-scan",
"target": "https://target.example.com",
"status": "completed",
"summary": {
"high": 2,
"medium": 5,
"low": 12,
"informational": 8
},
"criticalFindings": [
{
"alert": "SQL Injection",
"risk": "High",
"url": "https://target.example.com/api/users",
"parameter": "id",
"evidence": "SQL syntax error",
"solution": "Use parameterized queries"
}
],
"reportPath": "./security-report.html"
}
Error Handling
- Verify ZAP is running before operations
- Check API connectivity and authentication
- Handle timeout for long-running scans
- Provide fallback for unavailable features
- Log all security-critical operations
Constraints
- Never scan production without explicit approval
- Respect rate limits and scan policies
- Do not store sensitive authentication data
- Follow responsible disclosure practices
- Document all security findings appropriately
Related Skills
a5c-ai/model-card-generator
development
VerifiedTrustedCommunity
Model documentation skill for generating model cards following Google's model card framework.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/mlflow-experiment-tracker
development
VerifiedTrustedCommunity
MLflow integration skill for experiment tracking, model registry, and artifact management. Enables LLMs to log experiments, compare runs, manage model lifecycle, and retrieve artifacts through the MLflow API.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/lime-explainer
data-ai
VerifiedTrustedCommunity
LIME-based local explanation skill for individual predictions across tabular, text, and image data.
680SKILL.mdUpdated Apr 28, 2026
a5c-ai/kubeflow-pipeline-executor
devops
VerifiedTrustedCommunity
Kubeflow Pipelines skill for ML workflow orchestration, component management, and Kubernetes-native ML.
680SKILL.mdUpdated Apr 28, 2026