Automation on ZAP

Scanning MCP Servers with ZAP

Thu, 21 May 2026 00:00:00 +0000

ZAP can now scan MCP (Model Context Protocol) servers as a first-class target. Import an MCP server from the ZAP desktop or the Automation Framework, or run the new action-mcp-scan GitHub Action to scan one from CI.

Automating OWASP PTK with ZAP (Phase 1)

Wed, 06 May 2026 00:00:00 +0000

ZAP’s Automation Framework can now drive OWASP PTK scans using the Client Spider. This is an early release - we want you to try it and give us feedback while we work toward deeper integration with ZAP’s active and passive scan engines.

Use ZAP with KRO in Kubernetes

Mon, 13 Apr 2026 00:00:00 +0000

Learn how to integrate ZAP with KRO in a Kubernetes cluster to scan the security of each new deployment.

The ZAP MCP Server

Thu, 02 Apr 2026 00:00:00 +0000

Connect AI assistants like Claude and ChatGPT to ZAP via the Model Context Protocol. Start scans, read alerts, and explore your application—all through natural conversation.

Configuring Scan Policies with Alert Tags

Wed, 03 Sep 2025 00:00:00 +0000

A new feature in ZAP’s automation framework allows you to configure scan policies using alert tags, making it easier to target specific types of vulnerabilities without manually managing individual scan rules.

Use ZAP with Flagger in Kubernetes

Tue, 24 Dec 2024 00:00:00 +0000

Learn how to integrate ZAP with Flagger in a Kubernetes cluster to scan the security of each new deployment.

Powering Up DAST with ZAP and Noir

Mon, 11 Nov 2024 00:00:00 +0000

Integrating Noir, a tool for discovering hidden endpoints in source code, with ZAP enhances dynamic application security testing (DAST).

Signing Requests using RSA Keys

Mon, 29 Jan 2024 00:00:00 +0000

A new script in the community-scripts repository enables the signing of outgoing requests with RSA keys, addressing the challenge of testing applications that require this functionality.

Automated ZAP Scans for Orchard Core Apps

Fri, 08 Dec 2023 00:00:00 +0000

If you have an app running on the ASP.NET Core web framework and CMS Orchard Core, you can now easily run ZAP scans for it.

Automation Guide - Exploring Your App

Mon, 01 Jan 0001 00:00:00 +0000

ZAP cannot attack parts of the target app if it does not know about them. Exploring the app is key - the more effectively that is done the more effectively ZAP will be able to attack it. This is why ZAP has so many options for exploring apps.

Automation Guide - Options

Mon, 01 Jan 0001 00:00:00 +0000

If you want to use ZAP for automated security scanning then you have a wide range of options, also listed on the main Automate page.

Also see the ZAP Chat 06 Automation Introduction video which talks about and demonstrates all of these options in more detail.

Each of these options provides a different balance between ease of use and flexibility + functionality:

Automation Guide - Target Scanning Issues

Mon, 01 Jan 0001 00:00:00 +0000

It is not unusual for target systems to struggle or even fail when being scanned by ZAP.

This page explains what can go wrong, how to detect these problems and what can be done about them.

Cannot Connect

If ZAP cannot connect to the target app then it will typically fail very quickly. Solving connection problems will depend on the underlying cause, which ZAP will not be able to detect.