aeondave/zap
offensive-tools/web-app/zap/SKILL.md
OWASP ZAP: open-source web application scanner and intercepting proxy for automated active/passive vulnerability scanning. Use when performing comprehensive web app tests, integrating security scanning into CI/CD pipelines, scripting custom scan logic, or running headless API scans.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill zapInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 31, 2026, 9:41 PM58.8s1 file scanned
SKILL.md
- name:
- zap
- description:
- OWASP ZAP: open-source web application scanner and intercepting proxy for automated active/passive vulnerability scanning. Use when performing comprehensive web app tests, integrating security scanning into CI/CD pipelines, scripting custom scan logic, or running headless API scans.
- license:
- Apache-2.0
- compatibility:
- Linux / macOS / Windows. Java 11+. Docker available from zaproxy.org.
- author:
- AeonDave
- version:
- 1.0
OWASP ZAP
Open-source web app scanner and intercepting proxy.
Quick Start
zap.sh
zap.sh -daemon -port 8090 -host 127.0.0.1
docker run -t owasp/zap2docker-stable zap-baseline.py -t http://target.com
docker run -t owasp/zap2docker-stable zap-full-scan.py -t http://target.com
Scan Types
| Scan | Command | Notes |
|------|---------|-------|
| Baseline | zap-baseline.py | Passive only, safe for prod |
| Full scan | zap-full-scan.py | Active, potentially destructive |
| API scan | zap-api-scan.py | OpenAPI / SOAP / GraphQL targets |
REST API (daemon mode)
curl "http://localhost:8090/JSON/spider/action/scan/?url=http://target.com"
curl "http://localhost:8090/JSON/ascan/action/scan/?url=http://target.com"
curl "http://localhost:8090/JSON/core/view/alerts/"
Resources
| File | When to load |
|------|--------------|
| references/ | Authentication config, CI integration, scripting API |
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026