Simplify Docker documentation using host.docker.internal and docker-compose

[brandonmpetty]

Source: https://www.zaproxy.org/docs/docker/about

Site Section: Scanning an app running on the host OS

Issue The site details how to get the host IP for hitting the host, which is outside of the docker network. Not only does this solution not work for Windows users (except maybe if they install Cygwin), it is also overly complex.

Solution: Docker now uses host.docker.internal for hitting the host as detailed here: https://docs.docker.com/desktop/mac/networking

Here is how I am able to run ZAP in Docker with only one command thanks to this docker-compose.yml:

version: “3”
services:
  zap:
    image: owasp/zap2docker-stable:2.10.0
    command: zap-api-scan.py -t http://host.docker.internal:3000/openapi.yml -f openapi -r zap-report.html
    volumes:
      - ./report:/zap/wrk:rw

Not only does this use the host.docker.internal solution for accessing the host in a clean, cross platform, way... it uses docker-compose to pull the image and run the scan with one single call:

docker-compose up zap

I think this is probably the best way to run ZAP on a local dev environment. It may be worth updating the documentation.