Skip to content

Instantly share code, notes, and snippets.

Created July 17, 2021 22:14
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
ZAP Automation Template example - works with v0.4, runs against Google firing range
--- # OWASP ZAP automation configuration file, for more details see
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
vars: # List of 1 or more variables, can be used throughout the config
failOnError: true # If set exit on an error
failOnWarning: false # If set exit on a warning
progressToStdout: true # If set will write job progress to stdout
- type: addOns # Add-on management
updateAddOns: false # Update any add-ons that have new versions
install: # A list of non standard add-ons to install from the ZAP Marketplace
uninstall: # A list of standard add-ons to uninstall
# Passive scan templates
# Spider templates
- type: spider # The traditional spider - fast but doesnt handle modern apps so well
context: # String: Name of the context to spider, default: first context
url: # String: Url to start spidering from, default: first context URL
userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one
maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDepth: # Int: The maximum tree depth to explore
maxChildren: # Int: The maximum number of children to add to each node in the tree
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'automation.spider.urls.added' # String: Name of an integer / long statistic, currently supported: 'automation.spider.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String [warn, error, info]: Change this to 'warn' or 'error' for the test to take effect
# API scan templates
# Active scan templates
- type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
context: # String: Name of the context to attack, default: first context
policy: # String: Name of the scan policy to be used, default: Default Policy
maxRuleDurationInMins: 10 # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 10 # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimiteds
delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: Low # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: Low # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
- id: 40018
threshold: Low
strength: Medium
# Output templates
- type: outputSummary # Print summary to stdout, primarily to mimic the behaviour of the packaged scans
format: None # String: The format of the output, one of None, Short, Long, default: None
summaryFile: # String: The full path of a file into which will be written a JSON summary of the scan, default empty
- type: report # Report generation
template: traditional-json # String: The template id, default : traditional-html
reportDir: /tmp/zap/ # String: The directory into which the report will be written
reportFile: # String: The report file name pattern, default: {yyyy-MM-dd}-ZAP-Report-[[site]]
reportTitle: # String: The report title
reportDescription: # String: The report description
displayReport: # Boolean: Display the report when generated, default: false
risks: # List: The risks to include in this report, default all
- high
- medium
- low
- info
confidences: # List: The confidences to include in this report, default all
- high
- medium
- low
- falsepositive
sections: # List: The template sections to include in this report - see the relevant template, default all
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment