Skip to content

Commit 4e8a37e

Browse files
committed
fix: Correct ZAP API scan invocation
The previous script passed `-t` twice; the second occurrence silently overwrote the OpenAPI spec target, so the scan never loaded `src/test/resources/openapi.json`. The host override for `zap-api-scan.py` is `-O`, not a second `-t`. Also add a shebang, `set -euo pipefail`, `--rm` on docker run, and a usage comment pointing at the ServerLauncher prerequisite.
1 parent d61095a commit 4e8a37e

1 file changed

Lines changed: 13 additions & 5 deletions

File tree

zap.sh

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,15 @@
1-
docker run -v "$(pwd)":/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
1+
#!/usr/bin/env bash
2+
# Run a ZAP API scan against a locally running OpenAPI server.
3+
# Prerequisite: the example server must be listening on :8080, e.g.
4+
# mvn test-compile exec:java \
5+
# -Dexec.mainClass=com.retailsvc.http.start.ServerLauncher \
6+
# -Dexec.classpathScope=test
7+
set -euo pipefail
8+
9+
docker run --rm -v "$(pwd)":/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
210
-t src/test/resources/openapi.json \
3-
-P 8080 \
411
-f openapi \
5-
-s -g gen.conf \
6-
-r zap-report.html \
7-
-t http://host.docker.internal:8080
12+
-O http://host.docker.internal:8080 \
13+
-s \
14+
-g gen.conf \
15+
-r zap-report.html

0 commit comments

Comments
 (0)