OWASP ZAP 2.17.0 (Apache-2.0) on Ubuntu 24.04 LTS by cloudimg - the world's most widely used open-source web application security scanner (DAST). Runs headless as a daemon exposing its REST API and scanning proxy on loopback, gated by a per-VM API key, with sessions on a dedicated data disk. 24/7 cloudimg support.
## OWASP ZAP on Ubuntu 24.04 LTS by cloudimg
OWASP ZAP (Zed Attack Proxy) is the world's most widely used open-source web application security scanner, performing Dynamic Application Security Testing (DAST). This cloudimg image runs ZAP 2.17.0 in headless daemon mode as an appliance: a long-running ZAP daemon exposing its REST API and local scanning proxy, driven by the API or the ZAP Automation Framework to spider and scan target web applications. ZAP runs as a dedicated zap system user on a Temurin 17 JRE with the API bound to loopback, gated by a per-VM API key generated on first boot, with its home on a dedicated Azure data disk. Backed by 24/7 expert support.
DAST Scanning via API
Drive ZAP from the REST API or the ZAP Automation Framework to spider and scan target web applications for vulnerabilities - ideal for CI/CD-integrated security testing.
Dedicated Data Disk
The ZAP home (sessions, scan results, contexts and add-ons) lives on a dedicated, independently resizable Azure data disk, separate from the OS disk and re-provisioned with every VM.
Secure By Default
The ZAP API and proxy listen on 127.0.0.1:8090 only and are gated by an API key uniquely generated on the first boot of every VM, stored in a root-only file; port 8090 is never opened on the NSG. nginx on port 80 serves a static unauthenticated /health endpoint.
Why Choose cloudimg?
* 24/7 Expert Support with guaranteed 24 hour response. Contact support@cloudimg.co.uk
* Production Ready from Launch Pre configured, security patched, and validated before publication
* Azure Native Integration Built with Azure Linux Agent, cloud init, and Gen2 Hyper V
What is Included
* OWASP ZAP 2.17.0 (official Linux distribution) running as a systemd daemon on a Temurin 17 JRE
* A unique per-VM API key generated on first boot in a root-only file
* ZAP home, sessions, scan results and add-ons on a dedicated Azure data disk
* A loopback-only ZAP API and proxy on 127.0.0.1:8090, fronted by nginx on port 80
* A static unauthenticated /health endpoint for load-balancer probes
Networking
Reach the API over an SSH tunnel (ssh -L 8090:127.0.0.1:8090 azureuser@your-vm-ip); add your own authentication and TLS before exposing any port.
Use Cases
CI/CD-integrated DAST, automated web application security scanning, a self-hosted vulnerability scanner driven by the ZAP API, and AppSec/DevSecOps pipelines.
Visit www.cloudimg.co.uk/guides/owasp-zap-on-ubuntu-24-04-azure for the full user guide.
OWASP, ZAP and Zed Attack Proxy are trademarks of the OWASP Foundation; this image repackages the upstream Apache-2.0 software and is not affiliated with or endorsed by the OWASP Foundation. All trademarks are the property of their respective holders.