Overview
OWASP ZAP 2.17.0 daemon running
systemctl status showing zap.service active and the authenticated REST API returning the ZAP core version JSON over loopback :8080.
OWASP ZAP 2.17.0 daemon running
Spider and passive scan via the API
Scan alerts JSON
This is a repackaged open source software product wherein additional charges apply for cloudimg support services.
Overview OWASP ZAP (the Zed Attack Proxy) is the world's most widely used open source web-application security scanner. It finds vulnerabilities in web applications and APIs through automated spidering, passive scanning and active attack rules, and is a staple of DAST pipelines and penetration testing. This image delivers ZAP fully installed and running as a headless daemon with its REST API enabled, so a scanning appliance is ready to drive within minutes of launch.
Headless Scanner Service ZAP runs in daemon mode under the bundled systemd service, started on boot and restarted on failure. There is no desktop GUI to manage: you drive every capability, spiders, the AJAX spider, passive scanning, active scanning, alerts and reporting, through the authenticated REST API. A bundled OpenJDK 17 headless runtime means no extra setup. The session database and scan state live on a dedicated, independently resizable data disk.
Per-Instance API Key A random ZAP API key is generated fresh on the first boot of every instance and recorded for the administrator, so no shared or build-time secret ever ships in the image. The REST API is bound to loopback and, by default, only accepts connections from the instance itself, so the scanner is private until you choose to expose it (for example by tunnelling the API port over SSH). Every API call is authenticated with the per-instance key.
Automate Your Scans The REST API exposes the full ZAP feature set: define contexts and scopes, run the traditional and AJAX spiders, let the passive scanner flag issues as traffic flows, launch active scans with tunable attack strength and alert thresholds, then pull the alerts and generate HTML, JSON or Markdown reports. Wire ZAP into CI/CD for DAST, or proxy a manual or automated test suite through it to surface findings.
Ready To Use Connect over SSH and the daemon is already running. Read the welcome notes for the per-instance API key and example calls, confirm the version over the API, then point ZAP at your targets. The ZAP home directory, session database and results live on a dedicated, independently resizable data disk.
cloudimg Support 24/7 technical support by email and chat. Help with daemon configuration, the REST API, scan policies and attack strength, contexts and authentication handling, CI/CD integration for DAST, reporting and upgrade planning.
Use Cases Automated DAST scanning of web applications and APIs in a CI/CD pipeline. A scanning proxy for manual and automated penetration testing. A scheduled vulnerability scanner for staging and production web estates. A self-hosted, API-driven alternative to commercial web-app scanners.
All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
Highlights
- OWASP ZAP, the world's most popular Apache-2.0 open source web-application security scanner, preinstalled and running as a headless daemon with the authenticated REST API enabled, no manual setup required
- A random ZAP API key is generated fresh on the first boot of every instance (no shared or build-time secret ships in the image) and the REST API is bound to loopback, private until you choose to expose it
- Drive the full ZAP feature set over the REST API (spiders, passive and active scanning, alerts and reporting) with a bundled OpenJDK runtime and the session database on a dedicated, resizable data disk, plus 24/7 cloudimg support
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
- ...
Dimension | Description | Cost/hour |
|---|---|---|
t3.medium Recommended | t3.medium | $0.08 |
t2.micro | t2.micro instance type | $0.04 |
t3.micro | t3.micro instance type | $0.04 |
c5a.12xlarge | c5a.12xlarge instance type | $0.24 |
c5a.16xlarge | c5a.16xlarge instance type | $0.24 |
c5a.24xlarge | c5a.24xlarge instance type | $0.24 |
c5a.2xlarge | c5a.2xlarge instance type | $0.24 |
c5a.4xlarge | c5a.4xlarge instance type | $0.24 |
c5a.8xlarge | c5a.8xlarge instance type | $0.24 |
c5a.large | c5a.large instance type | $0.08 |
Vendor refund policy
Refunds available on request.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Initial release of OWASP ZAP 2.17.0, the Zed Attack Proxy web-application security scanner, as a ready-to-use headless daemon with the authenticated REST API enabled and a per-instance API key generated on first boot.
Additional details
Usage instructions
Connect via SSH on port 22 as the default login user for your operating system variant (the user guide lists it per variant). This is a headless scanner service: there is no desktop GUI. Read the welcome notes, including the per-instance ZAP API key, with: sudo cat /root/owasp-zap-info.txt. Confirm the daemon is running with: systemctl status zap. The ZAP REST API is bound to loopback on port 8080 and is authenticated with the per-instance key: KEY=$(sudo grep '^zap.api.key=' /root/owasp-zap-info.txt | cut -d= -f2-); curl "http://127.0.0.1:8080/JSON/core/view/version/?apikey=${KEY} ". Drive spiders, passive and active scans, alerts and reporting over the API (see the user guide). The ZAP home directory, session database and scan results live on a dedicated data disk mounted at /var/lib/zaproxy. The API only accepts loopback connections by default; to reach it from your workstation, tunnel the port over SSH (ssh -L 8080:127.0.0.1:8080). Open whatever ports your scan targets require in the instance security group.
Resources
Vendor resources
Support
Vendor support
cloudimg provides 24/7 technical support for this product by email and live chat. Our engineers help with deployment, configuration, updates, performance tuning and troubleshooting; critical issues receive a one hour average response. Contact support@cloudimg.co.uk .
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products



