The API can be used to perform a simple scan of an application in the following way:
Use the 'spider.scan' action to start spidering the target, passing in the URL you want to start spidering from. You only need to specify an apikey if you have set one up in your ZAP API options.
All scans are asynchronous as they can take a long time, so poll the 'spider.status' view until it returns 100 - this is how far the spider has progressed as a percentage.
Use the 'ascan.scan' action to start active scanning the target, passing in the URL you want to start scanning from, and setting recurse=true and inScopeOnly=false. You only need to specify an apikey if you have set one up in your ZAP API options.
Poll the ascan.status view until it returns 100.
Use the core.alerts view without any parameters to retrieve all of the alerts.
Links:
- Back: The URL format
- Home: The ZAP API
- Next: Java client API