Resource library

Cyber QA

Using OWASP ZAP for QA: A QA Guide (2026)

Learn using OWASP ZAP for QA with proxy inspection, passive and active scans, API imports, authentication, Automation Framework plans, CI gates, and triage.

24 min read | 3,609 words

TL;DR

Using OWASP ZAP for QA combines an intercepting proxy, passive analysis, controlled active checks, and reproducible automation. Start with an authorized context and normal test traffic, automate a passive Baseline scan in CI, then add authenticated discovery or active API scanning only where environment safety and triage ownership are established.

Key Takeaways

  • Put every scan behind explicit authorization, a narrow context, and clear exclusions.
  • Use passive scanning during ordinary QA traffic for low-impact feedback on requests and responses.
  • Choose Baseline for passive CI, API Scan for defined APIs, and active scanning only in recoverable test environments.
  • Model authentication with contexts, verification indicators, session handling, and dedicated users before scanning.
  • Version Automation Framework YAML, rule policy, add-on set, and report gates with the application.
  • Triage alerts against exact evidence and business context before failing a release or filing a defect.
  • Measure discovered and authenticated coverage, not only alert counts.

A practical approach to using OWASP ZAP for QA adds HTTP visibility and repeatable dynamic security checks to normal testing. ZAP can proxy browser or API traffic, passively analyze every observed request and response, explore an application, import API definitions, perform authorized active checks, and run versioned Automation Framework plans in CI.

The tool is open source and automation-friendly, but a successful command is not the same as useful coverage. The scan needs a precise context, valid authentication, representative test data, safe exclusions, a documented rule policy, and human triage. This guide builds that workflow from desktop exploration through Docker automation without treating a raw alert count as a release decision.

TL;DR

ZAP approach What it does Appropriate QA use
Manual proxy plus passive scan Observes traffic and raises non-attacking alerts Daily functional and exploratory testing
Baseline packaged scan Spiders briefly, waits for passive analysis, reports Fast CI feedback, including approved production checks
Full packaged scan Spiders and actively scans a web app Isolated, recoverable test environment
API packaged scan Imports OpenAPI, SOAP, or GraphQL and actively scans API routes Authorized API test environment
Automation Framework Runs ordered YAML jobs with contexts and policies Reproducible team-owned pipelines

Begin with passive analysis and evidence quality. Add active checks only after the environment owner, scope, authentication, rate, cleanup, and triage process are ready.

1. Define risk boundaries before using OWASP ZAP for QA

ZAP can send ordinary proxied traffic, crawler requests, and attack-like active scan payloads. Those modes have different operational risk. Write the authorization boundary before testing: allowed origins, paths, ports, accounts, methods, data, scan types, rate, window, and emergency contact. Exclude logout, destructive administration, third-party identity systems, payment providers, messaging endpoints, and any other system the team does not own or has not approved.

A ZAP Context represents the application boundary. Configure top-level URLs, include and exclude regular expressions, technologies, authentication, session management, and users. A narrow context improves both safety and signal. Verify it by browsing the target and confirming that expected nodes are in context while excluded and third-party nodes are not.

Run active scanning against a disposable or recoverable environment with seeded accounts. It can submit forms, create data, trigger server behavior, and consume capacity. The Baseline scan is different: it uses discovery plus passive scanning and does not perform active attacks. Even a passive scan sends spider requests, so confirm crawl permission and exclude state-changing GET endpoints if a legacy application has them.

Treat ZAP sessions, reports, logs, HAR files, and context files as sensitive. They can contain cookies, tokens, personal data, endpoints, and internal hostnames. Store them in approved locations, redact published artifacts, and apply a retention policy. Security tooling should reduce risk, not create a new credential archive.

2. Configure ZAP as a proxy for normal QA traffic

The desktop Quick Start browser is the easiest manual entry point because it is launched with suitable proxy settings. For an external browser or API client, configure the ZAP local proxy address and trust the ZAP root CA in a dedicated test profile. Keep the listener on loopback unless a reviewed test setup requires remote access. Never distribute the interception CA to production devices or a broad organization trust store.

Browse one clean user journey with breakpoints off. The History tab shows chronological traffic, while the Sites tree organizes discovered resources. Confirm methods, paths, parameters, media types, response codes, redirects, cookies, cache behavior, and WebSocket upgrades. ZAP's passive scanner analyzes messages as they pass without modifying the requests. Wait for its queue to finish before assuming the alert set is complete.

Manual proxying contributes two kinds of QA evidence:

  • Functional evidence, such as a wrong status, duplicate API call, stale cache response, malformed header, or incorrect redirect.
  • Passive security observations, such as sensitive data in a URL, missing cookie attributes, mixed content, or information leakage.

Not every passive alert is a vulnerability in context. A cookie without Secure on a deliberately HTTP-only local fixture differs from the same finding on an authenticated staging application. Read the exact request, response, confidence, risk, evidence, and rule documentation before reporting.

For broader HTTP security coverage, combine this proxy workflow with API security testing basics. ZAP supplies observations, while the QA plan still defines roles, state, and expected business outcomes.

3. Understand passive scan, discovery, and active scan

These stages answer different questions. Passive scanning asks what can be learned from traffic that already occurred. Discovery asks what routes can be reached. Active scanning sends payloads designed to provoke vulnerable behavior. Keeping them separate makes scope and failure analysis clearer.

Stage Sends requests Attack-like payloads Main blind spot
Passive scan No extra requests by itself No Sees only observed traffic
Traditional Spider Yes No Limited on client-rendered navigation
AJAX or Client Spider Yes No Slower and still dependent on reachable states
OpenAPI, SOAP, or GraphQL import Usually leads to requests No by import alone Definition may omit runtime-only routes
Active scan Yes Yes Business logic and authorization context

The Traditional Spider is fast and follows links and forms, but modern client applications may require the AJAX Spider or Client Spider. Authenticated applications need a configured user and a reliable logged-in or logged-out verification strategy. An apparently large Sites tree does not prove the privileged workflow was reached.

Active scan policy should match the technology and environment. Disable irrelevant rules, cap duration and rate, and exclude routes with irreversible effects. Start with a small route set and observe server logs and data before expanding. A scanner cannot understand whether a refund amount is legal, whether an object belongs to another tenant, or whether a workflow step violates business policy. Manual role and state tests remain essential.

4. Run a low-impact ZAP Baseline scan

The ZAP Docker Baseline scan is a useful first CI step. It spiders the target for a limited period, waits for passive scanning, and reports alerts without active attacks. The official stable image includes zap-baseline.py. The following command mounts the current directory for the report and removes the container afterward. Run it only against an approved target.

docker run --rm \
  --volume "$PWD:/zap/wrk:rw" \
  --tty ghcr.io/zaproxy/zaproxy:stable \
  zap-baseline.py \
  -t https://staging.example.test \
  -r zap-baseline-report.html \
  -J zap-baseline-report.json \
  -T 5

The script's policy file lets a team classify rule IDs as IGNORE, INFO, WARN, or FAIL. Generate a starting file with the documented -g option, review every change, and commit it. Do not silence a rule merely to make CI green. Record whether it is not applicable, accepted temporarily with an owner and date, or covered by a compensating control.

Baseline is suitable for frequent feedback because it is passive after discovery, but it is not a complete security scan. Coverage depends on the URLs the spider reaches. Seed the environment, provide starting URLs, and supplement discovery with a browser journey or API definition where necessary. A zero-alert report against only the login page is not strong evidence.

Exit codes distinguish success, policy warnings, failures, and operational errors. Configure the pipeline to interpret them intentionally, publish the report even when the command fails, and separate a target outage from a security threshold breach.

5. Create a versioned ZAP Automation Framework plan

The Automation Framework expresses contexts and ordered jobs in YAML. It is more explicit than a long command line and can be tested in the desktop UI before CI. Job order matters: discovery must happen before waiting for passive scanning, and alert filters must be applied before the alerts they are intended to affect.

This minimal plan performs traditional discovery, waits for passive rules, writes an HTML report, and sets an exit status by risk. It intentionally contains no active scan job. Save it as zap.yaml.

env:
  contexts:
    - name: qa-staging
      urls:
        - https://staging.example.test
      includePaths:
        - https://staging\.example\.test/.*
      excludePaths:
        - https://staging\.example\.test/logout.*
        - https://staging\.example\.test/admin/destructive.*
  parameters:
    failOnError: true
    failOnWarning: false
    continueOnFailure: false
    progressToStdout: true

jobs:
  - type: spider
    parameters:
      context: qa-staging
      maxDuration: 2
      maxDepth: 5
      logoutAvoidance: true

  - type: passiveScan-wait
    parameters:
      maxDuration: 5

  - type: report
    parameters:
      template: risk-confidence-html
      reportDir: /zap/wrk
      reportFile: zap-report.html
      reportTitle: QA staging passive scan

  - type: exitStatus
    parameters:
      errorLevel: High
      warnLevel: Medium

Validate the plan with ZAP's -autocheck option when updating it, then run it in Docker:

docker run --rm \
  --volume "$PWD:/zap/wrk:rw" \
  --tty ghcr.io/zaproxy/zaproxy:stable \
  zap.sh -cmd -autorun /zap/wrk/zap.yaml

Pinning an image digest gives stronger reproducibility than a moving tag. Schedule dependency and add-on updates, inspect changed alerts, and then advance the pin. Keep context patterns, report policy, and plan review under the same change control as application tests.

6. Configure authentication and prove it stays authenticated

Authenticated coverage is one of the hardest parts of dynamic testing. ZAP associates authentication, session management, verification, and users with a Context. Supported approaches include form, JSON, HTTP, scripts, browser-based authentication, and authentication helpers. The right choice depends on the real application flow.

Configure and debug authentication in the desktop before making it headless. Define the full application context, identify how sessions are stored, configure the login method, and choose a strong logged-in or logged-out indicator. Create dedicated low-privilege test users and exercise a small spider run. Check authentication statistics, History, response bodies, and the Sites tree. If every request redirected to login, the scan did not cover authenticated content.

A good verification indicator is stable and unambiguous. A 200 alone is weak because many applications return 200 for the login page. A logout link or authenticated identity endpoint may be stronger, but it must not also appear in cached or public content. For browser-based login, account for multi-step navigation and anti-forgery values. Keep credentials in CI secrets or environment variables, not in committed YAML.

Test at least two roles when authorization risk matters. Scanning as an administrator alone can hide low-privilege access problems and creates more operational risk. Use contexts or users deliberately and compare discovered routes and responses. Forced User Mode is useful for manual desktop work, but ZAP documentation recommends better user-aware mechanisms for automation.

For token-based APIs, authentication header environment variables can add a header to proxied and ZAP-generated traffic. Limit the header to the intended site and ensure logs and reports redact the value.

7. Scan APIs from OpenAPI, SOAP, or GraphQL definitions

API discovery is stronger when ZAP imports a machine-readable definition. The packaged API scan supports OpenAPI, SOAP, and GraphQL modes and runs an API-focused active scan unless safe mode is selected. Because it is active by default, use a dedicated authorized test environment with test-owned data.

A runnable OpenAPI scan looks like this:

docker run --rm \
  --volume "$PWD:/zap/wrk:rw" \
  --tty ghcr.io/zaproxy/zaproxy:stable \
  zap-api-scan.py \
  -t https://staging.example.test/openapi.json \
  -f openapi \
  -r zap-api-report.html \
  -J zap-api-report.json \
  -T 10

The definition must point to the correct staging servers and include usable paths and parameter shapes. If it contains production origins, override or sanitize them using documented options rather than risking the wrong target. Supply authentication through an approved context or supported environment configuration. Generate and review a rule policy file so active rules that are irrelevant can be disabled before they consume time.

Contract completeness limits scan completeness. Compare the imported route set with gateway logs, application routing, or an API inventory. Test deprecated versions, webhooks, upload routes, and runtime-generated operations separately if the definition omits them. ZAP can identify many technical issues, but it will not know the expected ownership rule for orderId. Add explicit functional authorization tests and use OpenAPI schema testing to verify the definition itself.

For XML services, the XML API testing guide covers XSD, namespaces, SOAP Faults, and safe parsing that an active scanner does not replace.

8. Design active scans that are safe and useful

An active scan sends crafted inputs to discover vulnerabilities. It belongs after scope, discovery, authentication, and environment recovery are proven. Clone or reset test data, notify owners, observe service health, and start with a small include pattern. Exclude logout, password reset, destructive endpoints, notification triggers, third-party callbacks, file-processing paths with cost, and any state-changing operation that cannot be safely repeated.

Configure a scan policy rather than accepting every installed rule. Include rules relevant to the server technologies, tune strength and threshold, cap threads and duration, and avoid alpha or beta rules unless the team deliberately evaluates them. More payloads do not automatically mean better QA. They can lengthen scans, create noisy evidence, and hide the few findings that matter.

Monitor during the run:

  • Request rate and error rate.
  • CPU, memory, database load, and queue growth.
  • Test record creation and cleanup backlog.
  • Authentication failures or account lockouts.
  • Unexpected calls to external integrations.
  • Active scan progress and repeated failing routes.

Stop when safety assumptions fail. Preserve logs and the exact plan so the team can diagnose whether the problem is scanner load, application fragility, or configuration.

After scanning, reset the environment and verify cleanup. Active scanning is not a load test, but it can still expose robustness defects. Report those separately from vulnerability alerts when the evidence is resource exhaustion or unhandled input rather than a confirmed security impact.

9. Triage ZAP alerts and control false positives

Each alert includes a rule ID, risk, confidence, URL, parameter, evidence, description, and guidance. Triage begins with the exact HTTP exchange. Reproduce the behavior manually, confirm the target and role, inspect application state or logs, and decide whether the alert demonstrates a real weakness in context. Do not file the generated description without validation.

Use four dispositions:

Disposition Meaning Required record
Confirmed Evidence demonstrates the issue Minimal reproduction and impact
False positive Rule interpretation does not apply Technical reason and evidence
Accepted risk Real issue is temporarily accepted Owner, rationale, and review date
Needs investigation Evidence is incomplete Named follow-up and due date

Alert filters and packaged-scan policy files can keep known decisions out of release noise. Scope filters narrowly by rule, URL, parameter, and evidence where possible. A global ignore for a common rule can hide a real regression on a new endpoint. Review suppressions when routes, frameworks, or controls change.

Do not compare builds by total alert count alone. Discovery changes can raise or lower counts without changing security. Track alerts by stable identity, coverage, authentication success, rule set, add-on versions, and target build. A fixed alert disappearing because the spider lost access is not a successful remediation.

Retest confirmed issues with the original request and a neighboring case. Then add a durable regression at the lowest useful layer, such as a header assertion, authorization integration test, or safe ZAP rule gate.

10. Integrate ZAP into CI without creating a noisy gate

A CI pipeline should decide what ZAP result means before running the container. Start with a passive Baseline job on a deployed ephemeral environment. Publish HTML for humans and JSON or XML for machine processing. Fail only on reviewed policy levels, distinguish ZAP operational errors from security alerts, and always upload artifacts and application logs.

Use separate pipeline tiers:

  1. Pull request: fast passive or targeted plan against an ephemeral build.
  2. Main branch or nightly: authenticated discovery and broader passive coverage.
  3. Pre-release: approved active scan or API scan on resettable data.
  4. Scheduled maintenance: update the pinned ZAP image and add-ons, then rebaseline policy deliberately.

Parallel scans need separate targets or test tenants. Unique headers and data prefixes make traffic traceable. Wait for application readiness using a business health check, not only an open port. Ensure the scan container can resolve the service address, especially when the application and ZAP run in different Docker networks.

Do not put secrets in command arguments that CI prints. Use the runner's secret mechanism, restricted environment variables, or generated protected context files. Redact authorization headers and sensitive bodies from reports. Set artifact retention according to data classification.

A healthy gate measures coverage prerequisites too: expected URLs discovered, authenticated requests observed, passive queue completed, and required report produced. API contract testing with Pact can detect interface drift earlier, while ZAP adds runtime behavior and security observations.

11. Measure coverage and maintain the scanning system

Dynamic scan quality declines silently when routes, authentication, or front-end navigation change. Track more than alerts. Record the number and identity of in-scope routes discovered, HTTP methods exercised, authenticated versus unauthenticated responses, API definition operations imported, active rules enabled, scan duration, passive queue completion, and terminal errors. Compare these with a maintained endpoint and workflow inventory.

Coverage questions should be concrete:

  • Did the scan reach the post-login dashboard and one protected API?
  • Did each intended role authenticate successfully?
  • Were create, read, update, and delete methods observed where safe?
  • Did the imported API definition target staging?
  • Were excluded destructive routes actually absent?
  • Did client-side discovery reach routes created after JavaScript execution?
  • Were WebSocket or upload surfaces covered by another test if not by this plan?

Pin ZAP and add-on versions for reproducible gates, then schedule upgrades. Review release notes, run the new image against a stable reference target, explain new or changed alerts, and update policy through code review. Retire suppressions whose endpoints no longer exist. Validate that report templates and machine parsers still work.

Treat the automation plan as test code. Give it an owner, peer review, a local reproduction command, and a small intentionally vulnerable reference fixture if the organization supports one. The fixture can prove the gate still detects a known safe training issue without targeting real data.

12. Operationalize using OWASP ZAP for QA teams

Operationalizing using OWASP ZAP for QA requires shared ownership between QA, application security, developers, and platform engineers. QA usually understands workflows, data, and release gates. Security helps tune rules and impact. Developers explain controls and fix root causes. Platform owners provide isolated environments, logs, secrets, and safe resource limits.

Define a compact team standard:

  • Which projects receive passive, API, and active scans.
  • Who approves scope and active behavior.
  • Where contexts, plans, and policy files live.
  • Which alerts fail which pipeline tier.
  • Who triages and within what time.
  • How exceptions expire and are reviewed.
  • Which artifacts are retained or redacted.
  • How coverage loss is detected.

A good defect includes the scan version, rule ID, risk and confidence, environment, role, sanitized request and response, manual reproduction, actual impact, and remediation retest. Separate scanner wording from your verified facts. Avoid attaching a full report when one redacted exchange is enough.

Do not position ZAP as a compliance checkbox or a replacement for secure design. Its strongest QA value is repeatability: known traffic is analyzed the same way, an agreed policy produces a machine result, and confirmed defects become regression evidence. Start small, keep the context accurate, and expand only when signal and ownership remain healthy.

Interview Questions and Answers

Q: How would you use OWASP ZAP in a QA process?

I first define an authorized context and proxy normal functional journeys so passive scanning sees representative traffic. I automate a Baseline or Automation Framework plan with reviewed policy and coverage checks. Active or API scans run only in a recoverable test environment, and every release-impacting alert is manually triaged.

Q: What is the difference between passive and active scanning in ZAP?

Passive scanning analyzes requests and responses without changing or adding traffic itself. Active scanning sends crafted payloads that can trigger application behavior and state changes. Passive checks fit daily QA more easily, while active checks require stronger authorization and environment controls.

Q: Why can a zero-alert ZAP report be misleading?

The scanner may have reached only public pages, failed authentication, imported the wrong API server, or run with important rules disabled. I verify discovered URLs, authenticated responses, rule set, passive completion, and target build before interpreting alert count.

Q: How do you test authenticated scans?

I configure the context, session management, authentication method, verification indicator, and dedicated user in the desktop first. I run a small discovery job, inspect authentication statistics and responses, and prove protected routes were reached. Credentials stay in secret storage.

Q: How do you manage ZAP false positives?

I reproduce the exact exchange, verify business context, and record a clear disposition. Narrow filters can suppress confirmed false positives, while accepted risks need an owner and review date. I avoid broad ignores and review policy when the application changes.

Q: Which ZAP scan should run in CI?

A Baseline or passive Automation Framework plan is a strong first pull-request gate. Authenticated discovery can run nightly, and active or API scans fit an isolated pre-release environment. The correct choice depends on target type, safety, runtime, and triage capacity.

Q: How do you make ZAP automation reproducible?

I version contexts, Automation Framework YAML, rule policy, report configuration, and image digest. The pipeline uses a known target dataset, unique run identifiers, explicit exit policy, and preserved sanitized artifacts. Updates are tested and rebaselined through review.

Common Mistakes

  • Running active scans without explicit authorization and recovery planning.
  • Defining an overly broad context that includes third-party or destructive routes.
  • Treating passive, discovery, and active stages as interchangeable.
  • Assuming authentication worked because the scan completed.
  • Failing a release on untriaged raw alert counts.
  • Globally ignoring a rule to remove one false positive.
  • Using a moving container tag without a controlled update process.
  • Checking alerts but not discovered and authenticated coverage.
  • Putting credentials in YAML, command output, or retained reports.
  • Running several scans against shared mutable test data.
  • Forgetting to wait for the passive scan queue before reporting.
  • Allowing plans and suppressions to become ownerless test infrastructure.

A useful ZAP gate is explainable. The team can state what was in scope, how it authenticated, what traffic was observed, which rules ran, why the policy returned its status, and who owns the next action.

Conclusion

Using OWASP ZAP for QA works best as a progressive system: proxy representative traffic, collect passive findings, prove discovery and authentication, automate a versioned plan, and add active checks only inside safe boundaries. Context and coverage quality matter as much as scanner configuration.

Start with a small passive Baseline scan against an approved staging environment. Review every alert, record the discovered routes, commit an explicit policy, and then move to an Automation Framework plan. That foundation produces sustainable CI signal instead of a noisy report that teams learn to ignore.

Interview Questions and Answers

How would you introduce OWASP ZAP into a QA pipeline?

I begin with an authorized passive Baseline scan on an ephemeral staging build and publish sanitized reports. I establish rule policy, triage ownership, and route plus authentication coverage checks before making it a gate. Broader authenticated and active scans are added in later pipeline tiers with resettable data.

What is the difference between passive and active scanning in ZAP?

Passive rules inspect traffic ZAP has already observed and do not send attack payloads. Active rules create crafted requests to probe behavior and can affect state or capacity. They therefore require different authorization, environment, and cleanup controls.

How do you know an authenticated ZAP scan really worked?

I verify the configured logged-in or logged-out indicators, authentication statistics, response content, and protected routes in the Sites tree or report data. A successful process exit is insufficient if all requests reached the login page. I also compare expected role-specific routes with discovered coverage.

How do you handle ZAP false positives and accepted risks?

I manually reproduce the exchange and record confirmed, false positive, accepted risk, or needs investigation. Filters are narrow and versioned, while accepted risks include an owner and review date. I review suppressions after route, framework, or control changes.

When would you choose Baseline, Full, or API Scan?

Baseline fits frequent passive CI feedback. Full Scan adds active testing for an authorized recoverable web environment. API Scan imports OpenAPI, SOAP, or GraphQL and performs API-focused active testing, so it fits defined APIs in isolated test environments.

What makes a ZAP Automation Framework plan maintainable?

It has a narrow named context, explicit exclusions, ordered discovery and passive-wait jobs, documented authentication, report output, and deliberate exit policy. The plan, policy, image digest, and credentials interface are versioned and locally reproducible. Coverage prerequisites are asserted alongside alert thresholds.

Why is scanner coverage important when evaluating alerts?

Alert count depends on what ZAP reached and which rules ran. A drop can mean a fix, but it can also mean failed login, wrong target, lost routes, or disabled add-ons. I track endpoint, method, role, and rule coverage so changes in findings are interpretable.

Frequently Asked Questions

Is OWASP ZAP useful for QA testing?

Yes. ZAP can inspect HTTP and WebSocket traffic, passively analyze normal test journeys, explore applications, import API definitions, run controlled active checks, and produce repeatable CI reports.

What is a ZAP Baseline scan?

The Docker Baseline scan performs limited discovery, waits for passive scanning, and reports alerts without active attack payloads. It is a practical low-impact CI starting point, but its coverage is limited to the traffic and routes it discovers.

Can OWASP ZAP scan APIs?

Yes. The packaged API scan supports OpenAPI, SOAP, and GraphQL inputs and performs an API-focused scan. It is active by default, so run it only against an authorized test target with correct authentication and safe data.

How do I run an authenticated ZAP scan?

Create a Context with included URLs, session management, an authentication method, a logged-in or logged-out verification strategy, and a dedicated user. Prove the setup in the desktop and check protected-route coverage before moving it into automation.

Should ZAP active scanning run in production?

Active scans send crafted requests and can change state, so they normally belong in a recoverable test environment. Production testing requires explicit authorization, narrow scope, low-impact policy, monitoring, rate controls, and cleanup.

How should ZAP findings fail a CI build?

Use a reviewed policy that maps relevant rule IDs and risk levels to informational, warning, or failure outcomes. Also fail on operational errors and missing coverage prerequisites, and manually triage any release-impacting alert.

How do I reduce false positives in ZAP?

Reproduce the exact evidence, verify application context, and use a narrowly scoped alert filter or rule policy only after documenting the disposition. Review suppressions regularly and never use lower alert count as a substitute for coverage.

Related Guides