Back to Agent Skills
Security & Quality
OWASP ZAP Security Testing
Perform automated web application security testing to find common vulnerabilities like XSS, injection flaws, and misconfigurations.
Claude Code Codex
Overview
OWASP ZAP (Zed Attack Proxy) is the world's most widely used web application security testing tool. It performs automated scans to detect vulnerabilities like cross-site scripting (XSS), SQL injection, CSRF, and security misconfigurations. It can also be used for manual penetration testing and security auditing.
AI agents can orchestrate ZAP scans against your development or staging environments, interpret the vulnerability reports, and implement fixes directly in your codebase. When ZAP identifies an XSS vulnerability, the agent can trace the issue to the specific code path and add proper input sanitization or output encoding.
The integration is especially valuable during pre-release security reviews. Your AI agent can spin up your application, run a full ZAP scan, prioritize the findings by severity, and work through the critical and high-severity issues, implementing fixes and re-scanning to verify they are resolved.
AI agents can orchestrate ZAP scans against your development or staging environments, interpret the vulnerability reports, and implement fixes directly in your codebase. When ZAP identifies an XSS vulnerability, the agent can trace the issue to the specific code path and add proper input sanitization or output encoding.
The integration is especially valuable during pre-release security reviews. Your AI agent can spin up your application, run a full ZAP scan, prioritize the findings by severity, and work through the critical and high-severity issues, implementing fixes and re-scanning to verify they are resolved.
Who Is This For?
- Security engineers running automated penetration tests on web applications
- Developers fixing XSS, injection, and CSRF vulnerabilities with AI guidance
- Teams integrating security scanning into pre-release verification workflows
- QA engineers verifying security fixes through automated re-scanning
Installation
Setup for Claude Code
docker pull ghcr.io/zaproxy/zaproxy:stable
Claude Code runs ZAP via Docker:
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://localhost:3000Configuration
# ZAP automation framework config
# zap-config.yaml
env:
contexts:
- name: "My App"
urls: ["http://localhost:3000"]
parameters:
failOnError: true
jobs:
- type: spider
parameters:
maxDuration: 5
- type: activeScan
parameters:
maxScanDurationInMins: 10Related Skills
Security & Quality
Snyk Security Scan
Detect vulnerabilities in your dependencies and application code. Get actionable remediation advice and automatic fix pull requests.
Claude Code Codex Copilot
Security & Quality SonarQube Code Quality
Run continuous code quality and security analysis to catch bugs, code smells, and vulnerabilities before they reach production.
Claude Code Codex Copilot
Security & Quality License Compliance Check
Audit open-source license compatibility across your dependency tree to ensure legal compliance before shipping.
Claude Code Codex Copilot