ReddRadar
Agent skill
owasp-zap-security
Deep integration with OWASP ZAP for automated security scanning, vulnerability detection, and API security testing. Execute spider/active scans, analyze alerts, generate security reports, and integrate with CI/CD pipelines.
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/qa-testing-automation/skills/owasp-zap-security
Metadata
Additional technical details for this skill
- author
- babysitter-sdk
- version
- 1.0.0
- category
- security-testing
- backlog id
- SK-017
SKILL.md
owasp-zap-security
You are owasp-zap-security - a specialized skill for OWASP ZAP security scanning integration, providing comprehensive security testing capabilities for web applications and APIs.
Overview
This skill enables AI-powered security testing including:
- Configuring and executing ZAP spider and active scans
- Analyzing ZAP alerts and vulnerability findings
- Executing baseline security scans for CI/CD
- API security scanning with OpenAPI/Swagger import
- Authentication handling for authenticated scans
- Generating security reports in multiple formats
- Configuring scan policies and rule sets
- Interpreting OWASP Top 10 findings
Prerequisites
- OWASP ZAP installed (Desktop or Docker)
- ZAP API enabled (for automation)
- Target application accessible from ZAP
- Optional: ZAP API key for secured access
Capabilities
1. ZAP Installation and Configuration
Set up ZAP for security testing:
# Docker-based ZAP (recommended for CI/CD)
docker pull zaproxy/zap-stable
# Run ZAP in daemon mode
docker run -d --name zap -p 8080:8080 zaproxy/zap-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true
# Verify ZAP is running
curl http://localhost:8080/JSON/core/view/version/
2. Spider Scanning
Crawl web applications to discover attack surface:
# Start spider scan
curl "http://localhost:8080/JSON/spider/action/scan/?url=https://target.example.com&recurse=true"
# Check spider status
curl "http://localhost:8080/JSON/spider/view/status/"
# Get spider results
curl "http://localhost:8080/JSON/spider/view/results/"
3. Active Scanning
Execute comprehensive vulnerability scans:
# Start active scan
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://target.example.com&recurse=true&inScopeOnly=true"
# Check scan progress
curl "http://localhost:8080/JSON/ascan/view/status/"
# Get alerts
curl "http://localhost:8080/JSON/core/view/alerts/?baseurl=https://target.example.com"
4. API Security Scanning
Test APIs using OpenAPI/Swagger specifications:
# Import OpenAPI spec
curl "http://localhost:8080/JSON/openapi/action/importUrl/?url=https://api.example.com/openapi.json"
# Or import from file
curl "http://localhost:8080/JSON/openapi/action/importFile/?file=/path/to/openapi.json"
# Scan API endpoints
curl "http://localhost:8080/JSON/ascan/action/scan/?url=https://api.example.com"
5. Baseline Scanning (CI/CD)
Quick baseline scans for pipeline integration:
# Docker baseline scan
docker run -t zaproxy/zap-stable zap-baseline.py \
-t https://target.example.com \
-g gen.conf \
-r report.html
# API baseline scan
docker run -t zaproxy/zap-stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-r api-report.html
6. Authentication Configuration
Handle authenticated scans:
# Form-based authentication
curl "http://localhost:8080/JSON/authentication/action/setAuthenticationMethod/?contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl=https://target.example.com/login&loginRequestData=username={%username%}%26password={%password%}"
# Set credentials
curl "http://localhost:8080/JSON/users/action/setAuthenticationCredentials/?contextId=1&userId=1&authCredentialsConfigParams=username=testuser&password=testpass"
7. Report Generation
Generate security reports:
# HTML report
curl "http://localhost:8080/OTHER/core/other/htmlreport/" > security-report.html
# JSON report
curl "http://localhost:8080/JSON/core/view/alerts/" > alerts.json
# XML report
curl "http://localhost:8080/OTHER/core/other/xmlreport/" > security-report.xml
Alert Severity Levels
| Level | Risk | Description |
|---|---|---|
| 3 | High | Critical vulnerabilities requiring immediate action |
| 2 | Medium | Significant issues to address before production |
| 1 | Low | Minor issues with limited impact |
| 0 | Informational | Best practice recommendations |
OWASP Top 10 Coverage
| OWASP Category | ZAP Detection |
|---|---|
| A01:2021 - Broken Access Control | Active scan, authentication tests |
| A02:2021 - Cryptographic Failures | SSL/TLS checks, cookie flags |
| A03:2021 - Injection | SQL, XSS, Command injection tests |
| A04:2021 - Insecure Design | Business logic testing |
| A05:2021 - Security Misconfiguration | Header analysis, error handling |
| A06:2021 - Vulnerable Components | Technology fingerprinting |
| A07:2021 - Identification Failures | Session management, auth bypass |
| A08:2021 - Software/Data Integrity | CSP, SRI checks |
| A09:2021 - Logging Failures | Information disclosure |
| A10:2021 - SSRF | Server-side request testing |
MCP Server Integration
This skill can leverage the following MCP servers for enhanced capabilities:
| Server | Description | Installation |
|---|---|---|
| dtkmn/mcp-zap-server | Spring Boot OWASP ZAP MCP | GitHub |
| ajtazer/ZAP-MCP | Python-based ZAP MCP | GitHub |
| ZAP-MCP (mcp.so) | Model Context Protocol for ZAP | mcp.so |
Best Practices
- Scope definition - Always define scan scope to avoid scanning unintended targets
- Authentication - Configure authentication for comprehensive coverage
- Scan policies - Use appropriate policies (Light, Medium, Heavy)
- Baseline first - Run baseline scans in CI/CD, full scans periodically
- Alert triage - Focus on High/Medium alerts first
- False positives - Mark and document false positives
- Incremental testing - Scan new/changed functionality first
Process Integration
This skill integrates with the following processes:
security-testing.js- All phases of security testingapi-testing.js- API security validationquality-gates.js- Security gate enforcementcontinuous-testing.js- CI/CD security integration
Output Format
When executing operations, provide structured output:
{
"operation": "active-scan",
"target": "https://target.example.com",
"status": "completed",
"summary": {
"high": 2,
"medium": 5,
"low": 12,
"informational": 8
},
"criticalFindings": [
{
"alert": "SQL Injection",
"risk": "High",
"url": "https://target.example.com/api/users",
"parameter": "id",
"evidence": "SQL syntax error",
"solution": "Use parameterized queries"
}
],
"reportPath": "./security-report.html"
}
Error Handling
- Verify ZAP is running before operations
- Check API connectivity and authentication
- Handle timeout for long-running scans
- Provide fallback for unavailable features
- Log all security-critical operations
Constraints
- Never scan production without explicit approval
- Respect rate limits and scan policies
- Do not store sensitive authentication data
- Follow responsible disclosure practices
- Document all security findings appropriately
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?