Skip to main content

ZAP

This scanner scans websites for vulnerabilities. It supports both authenticated and unauthenticated scans.

How to use with Smithy

Open-Source

# file: ./my-workflow/workflow.yaml
description: ZAP based workflow
name: zap
components:
- component: ghcr.io/smithy-security/smithy/manifests/components/scanners/zaproxy:v1.11.3
- component: ghcr.io/smithy-security/smithy/manifests/components/enrichers/custom-annotation:v0.1.2
- component: ghcr.io/smithy-security/smithy/manifests/components/reporters/json-logger:v1.0.2
  1. Configure the run parameters of the component in the overrides file
zaproxy:
- name: target
type: string
value: "https://opencre.org/"
- name: scan_duration_mins
type: string
value: "11"
- name: login_url
type: string
value: ""
- name: logout_url
type: string
value: ""
- name: username
type: string
value: ""
- name: password
type: string
value: ""

SaaS

  1. In the Smithy UI, open the page to create a new workflow.
  2. Find ZAP in the scanners dropdown.
  3. [Optional] If you want to do an authenticated scan: Set the url where the login form is and any credentials.
  4. Set the target domain or base url

Example globas settings if you are using the web app trigger

Login URL: {{ .context.trigger.event.login_path }}
Target: {{ .context.trigger.event.url }}
Username: {{ .context.trigger.auth.username }}
Password: {{ .context.trigger.auth.token }}

Options

You can configure this component with the following options. :

Option NameDescriptionDefaultType
[Required] targetTarget to scan""String
usernameif it's an authenticated scan: the username""String
passwordif it's an authenticated scan: the password""String
login_urlif it's an authenticated scan: the url of the login form""String