zaproxy-website
zaproxy-website copied to clipboard
Simplify Docker documentation using host.docker.internal and docker-compose
Source: https://www.zaproxy.org/docs/docker/about
Site Section: Scanning an app running on the host OS
Issue The site details how to get the host IP for hitting the host, which is outside of the docker network. Not only does this solution not work for Windows users (except maybe if they install Cygwin), it is also overly complex.
Solution:
Docker now uses host.docker.internal
for hitting the host as detailed here: https://docs.docker.com/desktop/mac/networking
Here is how I am able to run ZAP in Docker with only one command thanks to this docker-compose.yml:
version: “3”
services:
zap:
image: owasp/zap2docker-stable:2.10.0
command: zap-api-scan.py -t http://host.docker.internal:3000/openapi.yml -f openapi -r zap-report.html
volumes:
- ./report:/zap/wrk:rw
Not only does this use the host.docker.internal
solution for accessing the host in a clean, cross platform, way... it uses docker-compose to pull the image and run the scan with one single call:
docker-compose up zap
I think this is probably the best way to run ZAP on a local dev environment. It may be worth updating the documentation.