Integrates OWASP ZAP reports into SonarQube 7.9.6 LTS or higher. The current LTS version of SonarQube is the target.

OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

People with a wide range of security experience can use ZAP and making it ideal for developers and functional testers new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins and restart SonarQube.

A typical SonarQube configuration will have the following parameters. This example assumes the use of a Jenkins workspace, but can easily be altered for other CI/CD systems.

sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml
sonar.zaproxy.htmlReportPath=${WORKSPACE}/zaproxy-htmlReport.html
# Optional - specifies additional rules outside of what's included in the core
sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml

The ZAP SonarQube Plugin is derived from the OWASP Dependency-Check SonarQube Plugin. Version 1.0 of the Dependency-Check plugin was forked by @polymont with the intent of creating a generic OWASP SonarQube plugin to support any OWASP project. The ZAP team wanted their own SonarQube plugin independent of any other project. In addition, a number of critical defects were discovered in the initial release of the Dependency-Check SonarQube plugin that were later fixed in subsequent releases, but never addressed in the generic OWASP version. The ZAP SonarQube Plugin is based on v1.0.3 of the Dependency-Check SonarQube plugin with ZAP-specific contributions by @polymont.

Permission to modify and redistribute is granted under the terms of the LGPLv3 license.