Can I use this skill in my CI/CD pipeline?

Absolutely. It is designed to integrate with CI workflows, such as GitHub Actions, and can be configured to fail builds if medium or high-risk vulnerabilities are found.

What is the primary purpose of this skill?

This skill automates Dynamic Application Security Testing (DAST) using OWASP ZAP to find security vulnerabilities in running web applications.

Does it require external software to run locally?

Yes, running the scan locally requires Docker to be installed and running on your machine to execute the ZAP baseline script.

What types of vulnerabilities does it detect?

It scans for the OWASP Top 10 vulnerabilities, including issues like missing Content Security Policy (CSP), missing HSTS headers, and insecure cookie flags.

How do I customize which security rules are enforced?

You can configure specific rules in the .zap/baseline.conf file, where you can set rules to IGNORE, WARN, or FAIL based on your project requirements.

OWASP ZAP Security Scanner

Name: OWASP ZAP Security Scanner
Author: CodySwannGT

byCodySwannGT

•

Security & Testing

Automates dynamic application security testing (DAST) to identify and mitigate OWASP Top 10 vulnerabilities in web applications.

The OWASP ZAP skill integrates the industry-standard Zed Attack Proxy into your development workflow to provide automated security guardrails for web applications. It allows developers to run comprehensive DAST scans locally using Docker or within CI/CD pipelines to detect critical security flaws before they reach production. The skill provides actionable guidance for fixing vulnerabilities ranging from missing security headers (CSP, HSTS) to insecure cookie configurations and sensitive data leaks, ensuring your application adheres to modern security best practices.

Key Features

01Local Docker-based execution for rapid security verification during development.

02Configurable scan rules to ignore, warn, or fail builds based on risk levels.

031 GitHub stars

04Automated OWASP Top 10 vulnerability detection through DAST scanning.

05Context-aware remediation advice for both infrastructure and application-level fixes.

06Detailed reporting in HTML, JSON, and Markdown formats.

Use Cases

01Verifying security middleware and HTTP header configurations before a production release.

02Auditing Expo web exports for common web vulnerabilities like CSRF or sensitive data exposure.

03Triaging and resolving security findings identified during pull request automated checks.

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add codyswanngt/lisa owasp-zap

For use in Claude.ai and ChatGPT