返回 Skill 列表
extension
分类: 开发与工程无需 API Key

security-zap-scan

使用Docker在本地运行OWASP ZAP基线安全扫描。检查ZAP基线脚本,执行扫描,并按风险级别汇总发现的问题,同时提供修复建议。

person作者: jakexiaohubgithub

OWASP ZAP Baseline Security Scan

Run a ZAP baseline security scan against the local application.

Workflow

  1. Check prerequisites:

    • Verify Docker is installed and running: docker info
    • Check if scripts/zap-baseline.sh exists in the project
  2. Execute scan:

    • If the script exists, run: bash scripts/zap-baseline.sh
    • If the script does not exist, inform the user that this project does not have a ZAP baseline scan configured
  3. Analyze results:

    • After the scan completes, read zap-report.html (or zap-report.md for text)
    • Summarize findings:
      • Total number of alerts by risk level (High, Medium, Low, Informational)
      • List each Medium+ finding with its rule ID, name, and recommended fix
      • Categorize findings as "infrastructure-level" (fix at CDN/proxy) vs "application-level" (fix in code)
  4. Handle failures:

    • If the scan failed, explain what failed and suggest concrete remediation steps

Execution

Run the scan now.