API Scan: OpenAPI または GraphQL (post 2.9.0) によって定義された API に対して、動的スキャンを実施します。
オプションについて
オプションが多く非常に柔軟に設定ができます。
細かい設定の方法については機会があれば書きますが、今回は割愛します。
$ docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -h
Usage: zap-full-scan.py -t <target> [options]
-t target target URL including the protocol, e.g. https://www.example.com
Options:
-h print this help message
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file(all rules set to WARN)
-m mins the number of minutes to spider for (defaults to no limit)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki(Markdown) report
-x report_xml file to write the full ZAP XML report
-J report_json file to write the full ZAP JSON document
-a include the alpha active and passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-I do not return failure on warning
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to scanning the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-T max time in minutes to wait for ZAP to start and the passive scan to run
-U user username to use for authenticated scans - must be defined in the given context file
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
--hook path to python file that define your custom hooks