OWASP Zap for automated DAST

Does OWASP Zap check all the boxes? Could it be the tool that integrates and automates DAST into your pipeline?

This post explores what OWASP Zap can do as a Dynamic Application Security Testing (DAST) tool, considering a DevSecOps context, primarily automated use, and possible integration into a CI/CD environment in the GitHub ecosystem.

To understand DAST basics, I recommend Vishal Garg’s blog post. He covers definitions, pros, cons, and considerations when adopting a DAST tool. Super kudos to Vishal — independent writers in the DevSecOps space are a rare finding!

We’ll explore:

• Rules and vulnerabilities covered by Zap
• Scan types
• Delta Scans
• Authentication
• CI/CD Integration (highlight for GitHub Actions)
• Reporting
• Automation Process
• Scan optimization
• Other box-ticking features

Rules and Vulnerabilities Covered

Zap has three scan rule types to detect vulnerabilities: release, beta and alpha. By default, only release rules run. Each can either be passive or active (in…