Source: https://www.zaproxy.org/docs/docker/about
Site Section: Scanning an app running on the host OS
Issue
The site details how to get the host IP for hitting the host, which is outside of the docker network.
Not only does this solution not work for Windows users (except maybe if they install Cygwin), it is also overly complex.
Solution:
Docker now uses host.docker.internal for hitting the host as detailed here: https://docs.docker.com/desktop/mac/networking
Here is how I am able to run ZAP in Docker with only one command thanks to this docker-compose.yml:
version: “3”
services:
zap:
image: owasp/zap2docker-stable:2.10.0
command: zap-api-scan.py -t http://host.docker.internal:3000/openapi.yml -f openapi -r zap-report.html
volumes:
- ./report:/zap/wrk:rwNot only does this use the host.docker.internal solution for accessing the host in a clean, cross platform, way... it uses docker-compose to pull the image and run the scan with one single call:
I think this is probably the best way to run ZAP on a local dev environment. It may be worth updating the documentation.
Source: https://www.zaproxy.org/docs/docker/about
Site Section: Scanning an app running on the host OS
Issue
The site details how to get the host IP for hitting the host, which is outside of the docker network.
Not only does this solution not work for Windows users (except maybe if they install Cygwin), it is also overly complex.
Solution:
Docker now uses
host.docker.internalfor hitting the host as detailed here: https://docs.docker.com/desktop/mac/networkingHere is how I am able to run ZAP in Docker with only one command thanks to this docker-compose.yml:
Not only does this use the
host.docker.internalsolution for accessing the host in a clean, cross platform, way... it uses docker-compose to pull the image and run the scan with one single call:I think this is probably the best way to run ZAP on a local dev environment. It may be worth updating the documentation.