codyswanngt/plugins/lisa-expo/skills/owasp-zap
plugins/lisa-expo/skills/owasp-zap/SKILL.md
# OWASP ZAP Baseline Scanning OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10. ## When to Use - After making changes to HTTP headers, authentication, or security middleware - Before deploying to staging or production - When reviewing security scan results from CI - When triaging ZAP findings from pull request checks ## Running Locally ```bash # Requires Docker to be
$ install --global
skillsauthnpx skillsauth add codyswanngt/lisa plugins/lisa-expo/skills/owasp-zapInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 25, 2026, 3:32 AM18.1s2 files scanned
SKILL.md
OWASP ZAP Baseline Scanning
OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10.
When to Use
- After making changes to HTTP headers, authentication, or security middleware
- Before deploying to staging or production
- When reviewing security scan results from CI
- When triaging ZAP findings from pull request checks
Running Locally
# Requires Docker to be installed and running
bash scripts/zap-baseline.sh
The scan builds the Expo web export, serves it locally, and runs ZAP against it. Reports are saved to zap-report.html, zap-report.json, and zap-report.md.
Interpreting Results
ZAP findings are categorized by risk level:
| Risk | Action | |------|--------| | High | Fix immediately — indicates exploitable vulnerability | | Medium | Fix before deployment — security best practice violation | | Low | Fix when convenient — minor security improvement | | Informational | Review — may be false positive or acceptable risk |
Common Findings and Fixes
Infrastructure-Level (fix at CDN/hosting, not in code)
- CSP Header Not Set: Configure Content-Security-Policy at CDN or hosting platform. Expo web exports need
script-src 'self' 'unsafe-inline'for hydration. - HSTS Not Set: Configure Strict-Transport-Security at CDN/load balancer.
- X-Frame-Options: Use
frame-ancestorsin CSP at CDN level.
Application-Level (fix in code)
- Cookie flags missing: Ensure all cookies set
HttpOnly,Secure, andSameSiteattributes. - Debug error messages: Ensure error boundaries don't leak stack traces in production.
- Server version disclosure: Remove or mask the
Serverresponse header.
Configuration
ZAP scan rules are configured in .zap/baseline.conf. Each line controls how ZAP treats a specific rule:
IGNORE: Skip the rule entirelyWARN: Report finding but don't fail the buildFAIL: Fail the build if this finding is detected
CI Integration
ZAP runs automatically in CI via the zap-baseline.yml workflow. Results are uploaded as artifacts and the build fails on medium+ severity findings.
Related Skills
codyswanngt/plugins/src/harper-fabric/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026
codyswanngt/plugins/lisa-harper-fabric/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026
codyswanngt/plugins/lisa-harper-fabric-cursor/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026
codyswanngt/plugins/lisa-harper-fabric-copilot/skills/harper-realtime
tools
VerifiedTrustedCommunity
--- name: harper-realtime description: This skill should be used when adding or troubleshooting Harper (HarperDB/Fabric) real-time behavior: MQTT topics, WebSocket resource subscriptions, resource publish/subscribe handlers, SSE-style streaming routes, and local subscriber verification. Pairs with harper-resources, harper-config-yaml, harper-schema-graphql, and harper-build-and-deploy. --- # Harper Realtime ## Overview Harper exposes live data through the same Resource model used for REST and
1SKILL.mdUpdated Jun 13, 2026