from zapv2 import ZAPv2
import time
# Configuration
target = 'http://example.com'
api_key = 'your-api-key'
zap_proxy = 'http://127.0.0.1:8080'
# Connect to OWASP ZAP API
zap = ZAPv2(apikey=api_key, proxies={'http': zap_proxy, 'https': zap_proxy})
# Configure Context and Authentication
context_id = zap.context.new_context('exampleContext', apikey=api_key)
zap.context.include_in_context('exampleContext', target + '.*', apikey=api_key)
zap.authentication.set_authentication_method(context_id, 'formBasedAuthentication',
'loginUrl=' + target + '/login&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D',
apikey=api_key)
zap.authentication.set_logged_in_indicator(context_id, 'pattern', apikey=api_key)
zap.authentication.set_logged_out_indicator(context_id, 'pattern', apikey=api_key)
# Set up a user
user_id = zap.users.new_user(context_id, 'testUser', apikey=api_key)
zap.users.set_authentication_credentials(context_id, user_id, 'username=test&password=secret', apikey=api_key)
zap.users.set_user_enabled(context_id, user_id, True, apikey=api_key)
# Start Spider and Active Scan
zap.spider.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)
while int(zap.spider.status()) < 100:
time.sleep(2)
zap.ascan.scan_as_user(context_id, user_id, target, recurse=True, apikey=api_key)
# This command will trigger a "re-test" scan on the Invicti to ensure that they've been fixed.
kdt scan -p $ProjectName -t invicti –scan-params=type:re-test