import time import requests from selenium import webdriver from selenium.webdriver.common.by import By # Configuration ZAP_API_KEY = 'changeme' ZAP_BASE_URL = 'http://localhost:8080' TARGET_URL = 'http://example.com' # Start OWASP ZAP scan using API scan_url = f'{ZAP_BASE_URL}/JSON/ascan/action/scan/?url={TARGET_URL}&apikey={ZAP_API_KEY}' scan_response = requests.get(scan_url) scan_id = scan_response.json().get('scan') # Poll scan status until complete status_url = f'{ZAP_BASE_URL}/JSON/ascan/view/status/?scanId={scan_id}&apikey={ZAP_API_KEY}' scan_progress = 0 while scan_progress < 100: time.sleep(5) # wait 5 seconds before checking again status_response = requests.get(status_url) scan_progress = int(status_response.json().get('status', 0)) # Get alerts report alerts_url = f'{ZAP_BASE_URL}/JSON/core/view/alerts/?baseurl={TARGET_URL}&apikey={ZAP_API_KEY}' alerts_response = requests.get(alerts_url) alerts = alerts_response.json().get('alerts', []) # Assertions assert scan_progress == 100, f'Scan did not complete, progress: {scan_progress}%' assert alerts is not None, 'Alerts data missing' # Print summary print(f'Scan completed with {len(alerts)} alerts found.')
This script uses the OWASP ZAP API to automate a security scan on the target URL.
First, it sends a request to start the scan and retrieves the scan ID.
Then, it polls the scan status every 5 seconds until the scan progress reaches 100%.
After completion, it fetches the alerts report and asserts that the scan completed and alerts data is present.
This approach uses explicit waits (polling) and API calls to control the scan, which is more reliable than manual UI interaction.
Now add data-driven testing with 3 different target URLs to scan