OWASP ZAP (Zed Attack Proxy), the world's most popular open source web-application security scanner, preinstalled and running as a headless daemon with its authenticated REST API enabled on loopback. A fresh API key is generated on first boot. Drive spiders, active and passive scans, and read findings over the API within minutes of launch. Backed b
Overview
OWASP ZAP (the Zed Attack Proxy) is the world's most widely used open source web-application security scanner. It finds vulnerabilities in web applications and APIs through automated spidering, passive scanning and active attack rules, and is a staple of DAST pipelines and penetration testing. This image delivers ZAP fully installed and running as a headless daemon with its REST API enabled, so a scanning appliance is ready to drive within minutes of launch.
Headless Scanner Service
ZAP runs in daemon mode under the bundled systemd service, started on boot and restarted on failure. There is no desktop GUI to manage: you drive every capability, spiders, the AJAX spider, passive scanning, active scanning, alerts and reporting, through the authenticated REST API. A bundled OpenJDK 17 headless runtime means no extra setup. The session database and scan state live on a dedicated, independently resizable data disk.
Per-Instance API Key
A random ZAP API key is generated fresh on the first boot of every instance and recorded for the administrator, so no shared or build-time secret ever ships in the image. The REST API is bound to loopback and, by default, only accepts connections from the instance itself, so the scanner is private until you choose to expose it (for example by tunnelling the API port over SSH). Every API call is authenticated with the per-instance key.
Automate Your Scans
The REST API exposes the full ZAP feature set: define contexts and scopes, run the traditional and AJAX spiders, let the passive scanner flag issues as traffic flows, launch active scans with tunable attack strength and alert thresholds, then pull the alerts and generate HTML, JSON or Markdown reports. Wire ZAP into CI/CD for DAST, or proxy a manual or automated test suite through it to surface findings.
Ready To Use
Connect over SSH and the daemon is already running. Read the welcome notes for the per-instance API key and example calls, confirm the version over the API, then point ZAP at your targets. The ZAP home directory, session database and results live on a dedicated, independently resizable data disk.
cloudimg Support
24/7 technical support by email and chat. Help with daemon configuration, the REST API, scan policies and attack strength, contexts and authentication handling, CI/CD integration for DAST, reporting and upgrade planning.
Use Cases
Automated DAST scanning of web applications and APIs in a CI/CD pipeline. A scanning proxy for manual and automated penetration testing. A scheduled vulnerability scanner for staging and production web estates. A self-hosted, API-driven alternative to commercial web-app scanners.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.