codyswanngt/plugins/lisa-expo-cursor/skills/owasp-zap
plugins/lisa-expo-cursor/skills/owasp-zap/SKILL.md
# OWASP ZAP Baseline Scanning OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10. ## When to Use - After making changes to HTTP headers, authentication, or security middleware - Before deploying to staging or production - When reviewing security scan results from CI - When triaging ZAP findings from pull request checks ## Running Locally ```bash # Requires Docker to be
$ install --global
skillsauthnpx skillsauth add codyswanngt/lisa plugins/lisa-expo-cursor/skills/owasp-zapInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 12, 2026, 3:01 AM4.5s1 file scanned
SKILL.md
OWASP ZAP Baseline Scanning
OWASP ZAP (Zed Attack Proxy) performs DAST (Dynamic Application Security Testing) by scanning a running application for common security vulnerabilities from the OWASP Top 10.
When to Use
- After making changes to HTTP headers, authentication, or security middleware
- Before deploying to staging or production
- When reviewing security scan results from CI
- When triaging ZAP findings from pull request checks
Running Locally
# Requires Docker to be installed and running
bash scripts/zap-baseline.sh
The scan builds the Expo web export, serves it locally, and runs ZAP against it. Reports are saved to zap-report.html, zap-report.json, and zap-report.md.
Interpreting Results
ZAP findings are categorized by risk level:
| Risk | Action | |------|--------| | High | Fix immediately — indicates exploitable vulnerability | | Medium | Fix before deployment — security best practice violation | | Low | Fix when convenient — minor security improvement | | Informational | Review — may be false positive or acceptable risk |
Common Findings and Fixes
Infrastructure-Level (fix at CDN/hosting, not in code)
- CSP Header Not Set: Configure Content-Security-Policy at CDN or hosting platform. Expo web exports need
script-src 'self' 'unsafe-inline'for hydration. - HSTS Not Set: Configure Strict-Transport-Security at CDN/load balancer.
- X-Frame-Options: Use
frame-ancestorsin CSP at CDN level.
Application-Level (fix in code)
- Cookie flags missing: Ensure all cookies set
HttpOnly,Secure, andSameSiteattributes. - Debug error messages: Ensure error boundaries don't leak stack traces in production.
- Server version disclosure: Remove or mask the
Serverresponse header.
Configuration
ZAP scan rules are configured in .zap/baseline.conf. Each line controls how ZAP treats a specific rule:
IGNORE: Skip the rule entirelyWARN: Report finding but don't fail the buildFAIL: Fail the build if this finding is detected
CI Integration
ZAP runs automatically in CI via the zap-baseline.yml workflow. Results are uploaded as artifacts and the build fails on medium+ severity findings.
Related Skills
codyswanngt/lisa-wiki-onboard-me
documentation
VerifiedTrustedCommunity
Onboard a user to the project via its LLM Wiki. Interviews the user about themselves in relation to the project, captures that to project-scoped memory only, then gives a guided tour of what the project is and sample questions they can ask. Use when someone is new to the project or asks to be onboarded. Read-mostly — it does not open PRs or write PII into the wiki.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-migrate
documentation
VerifiedTrustedCommunity
Migrate an existing, hand-rolled wiki implementation onto the lisa-wiki kernel — phased and compatibility-first, with a strict no-loss guarantee. Use when adopting lisa-wiki in a repo that already has its own wiki/, ingest skills, docs, or roles. Renaming things into the canonical shape is fine; losing functionality or data is not. Ends by running /doctor.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-lint
development
VerifiedTrustedCommunity
Health-check the LLM Wiki. Reports orphan pages, contradictions, stale claims, broken internal links, missing index/log coverage, structure-manifest violations, and secret/tenant leaks. Use periodically or before hardening a wiki. Read-only — it reports findings, it does not fix them.
1SKILL.mdUpdated Jun 5, 2026
codyswanngt/lisa-wiki-ingest
testing
VerifiedTrustedCommunity
Ingest source material into the LLM Wiki. With an argument (URL, file path, or prompt) it ingests that one source; with no argument it runs a full ingest across every enabled non-external-write source. Routes to the right connector, then runs the ordered pipeline (source note → synthesis → index → log → verify → state → commit/PR). Use whenever new knowledge should enter the wiki.
1SKILL.mdUpdated Jun 5, 2026