security-zap-scan_skill

This skill runs an OWASP ZAP baseline scan via Docker, analyzes results by risk, and offers remediation guidance.
  • TypeScript

1

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill codyswanngt/lisa --skill security-zap-scan

  • SKILL.md1.2 KB

Overview

This skill runs an OWASP ZAP baseline security scan locally using Docker and the project's baseline script. It verifies prerequisites, executes the scan if configured, and produces a concise summary of findings by risk level with actionable remediation guidance. The goal is a quick, repeatable security check that highlights Medium+ issues and distinguishes infrastructure vs application fixes.

How this skill works

The skill first confirms Docker is available and that the project includes a ZAP baseline script (scripts/zap-baseline.sh). If present, it runs the script inside Docker to perform the baseline scan against the local application. After the run, it parses the generated report (HTML or Markdown), counts alerts by risk level, extracts each Medium and High finding with rule ID, name, and recommended fixes, and classifies each issue as infrastructure-level or application-level. If execution fails, it captures the failure reason and suggests concrete next steps.

When to use it

  • Before merging security-sensitive changes to validate there are no new baseline issues
  • As part of local pre-deployment checks to catch common web vulnerabilities early
  • When onboarding a project to quickly assess web app exposure and high-priority risks
  • When adding or modifying network/proxy/CDN configuration to ensure infra-level settings are secure
  • During regular security hygiene runs to track trends in Medium+ findings over time

Best practices

  • Ensure Docker is installed and the Docker daemon is running before starting the scan
  • Keep the baseline script (scripts/zap-baseline.sh) updated with current target URLs and auth settings
  • Run scans against a staging or local instance to avoid impacting production traffic
  • Prioritize fixing High and Medium alerts first and document whether fixes are infra or app-level
  • Store or export zap-report.html or zap-report.md artifacts for audit and trend analysis

Example use cases

  • A developer runs the scan locally to confirm a new endpoint has no injection or auth issues
  • A CI job invokes the baseline script in a build pipeline and fails the build on High findings
  • A security engineer runs the scan after changing CDN headers to verify infrastructure-level hardening
  • A team triages Medium findings by mapping rule IDs to code owners for targeted remediation
  • A release checklist step that produces a summarized report of outstanding vulnerabilities

FAQ

The skill aborts the scan and explains how to install and start Docker, plus commands to verify the daemon (e.g., docker info).

What reports are produced and how are they summarized?

It reads zap-report.html or zap-report.md, counts alerts by risk (High/Medium/Low/Informational), lists Medium+ findings with rule IDs, and offers remediation recommendations and classification.

How does it decide infrastructure-level vs application-level?

Classification is based on the nature of the finding: configuration, headers, CDN/proxy behavior map to infrastructure-level; code, input handling, and auth logic map to application-level.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
security-zap-scan skill by codyswanngt/lisa | VeilStrat