From 4e8a37e9fe0c23be230cf1b590d986597ccd24b8 Mon Sep 17 00:00:00 2001 From: Thomas Cederholm Date: Thu, 21 May 2026 08:14:46 +0200 Subject: [PATCH 1/2] fix: Correct ZAP API scan invocation The previous script passed `-t` twice; the second occurrence silently overwrote the OpenAPI spec target, so the scan never loaded `src/test/resources/openapi.json`. The host override for `zap-api-scan.py` is `-O`, not a second `-t`. Also add a shebang, `set -euo pipefail`, `--rm` on docker run, and a usage comment pointing at the ServerLauncher prerequisite. --- zap.sh | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/zap.sh b/zap.sh index 3286e35..887a257 100755 --- a/zap.sh +++ b/zap.sh @@ -1,7 +1,15 @@ -docker run -v "$(pwd)":/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \ +#!/usr/bin/env bash +# Run a ZAP API scan against a locally running OpenAPI server. +# Prerequisite: the example server must be listening on :8080, e.g. +# mvn test-compile exec:java \ +# -Dexec.mainClass=com.retailsvc.http.start.ServerLauncher \ +# -Dexec.classpathScope=test +set -euo pipefail + +docker run --rm -v "$(pwd)":/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \ -t src/test/resources/openapi.json \ - -P 8080 \ -f openapi \ - -s -g gen.conf \ - -r zap-report.html \ - -t http://host.docker.internal:8080 + -O http://host.docker.internal:8080 \ + -s \ + -g gen.conf \ + -r zap-report.html From 7d15ab71983d138761ec0bd2a4d79de6b260cd37 Mon Sep 17 00:00:00 2001 From: Thomas Cederholm Date: Thu, 21 May 2026 08:19:08 +0200 Subject: [PATCH 2/2] chore: Ignore ZAP scan artefacts gen.conf and zap-report.html are regenerated on every ./zap.sh run. --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 240e877..717c7e2 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,7 @@ build/ ### Performance recordings ### perf/ + +### ZAP scan artefacts ### +gen.conf +zap-report.html