zap-extensions
ZAP Extensions is a collection of add-ons for the Zed Attack Proxy (ZAP), an open-source dynamic application security testing (DAST) tool. These extensions expand ZAP's capabilities for application security scanning and vulnerability detection, and can be installed directly within the ZAP application or manually via GitHub releases.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | zaproxy/zap-extensions |
| Owner | zaproxy |
| Primary language | HTML |
| License | Apache-2.0 — OSI-approved |
| Stars | 934 |
| Forks | 795 |
| Open issues | 56 |
| Latest release | webdriverwindows-v208 (2026-07-08) |
| Last updated | 2026-07-08 |
| Source | https://github.com/zaproxy/zap-extensions |
What zap-extensions is
A Gradle-based repository containing modular add-ons for ZAP, housed under the `addOns` directory with each add-on as a separate project. Add-ons are distributed as compiled packages via GitHub releases and can be loaded into ZAP through the UI or programmatically, enabling extended scanning, reporting, and integration workflows.
Get the zap-extensions source
Clone the repository and explore it locally.
git clone https://github.com/zaproxy/zap-extensions.gitcd zap-extensions# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Each add-on must be built using Gradle following the project's build instructions; pre-compiled releases are available but custom add-ons require local compilation.
- Add-ons are loaded into a running ZAP instance; deployment strategy depends on how ZAP itself is deployed (local desktop, containerized, server).
- Compatibility matrix between add-on versions and ZAP core versions should be verified before deployment to avoid runtime conflicts.
- Add-on configuration and state are typically managed within ZAP's configuration files; automated deployment requires scripting or API integration.
- Contributors and maintainers should be familiar with the Gradle build system and ZAP plugin architecture; onboarding new developers requires security tool expertise.
When to avoid it — and what to weigh
- Standalone Security Scanning Without ZAP — These extensions require ZAP to be installed and running; they are not standalone tools. If you need a standalone vulnerability scanner, evaluate ZAP Core or alternative DAST platforms directly.
- Dependency on Specific Add-On Not in Repository — If your workflow requires an add-on that is not present or maintained in this repository, you will need to develop it in-house or source it from elsewhere, adding custom maintenance burden.
- Unsupported Legacy ZAP Versions — Add-ons are designed for the latest ZAP versions. If your organization is locked on an older ZAP release, compatibility is not guaranteed and backward-porting may be required.
- Enterprise Support & SLA Requirements — This is an open-source community-driven project. If you require guaranteed commercial support, SLAs, or vendor-backed prioritization, evaluate commercial DAST solutions instead.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and redistribution with proper attribution and liability disclaimer.
Apache-2.0 permits commercial use of the add-ons and derivative works. However, this is community-maintained open-source software without vendor backing or support warranties. Organizations integrating these add-ons into commercial products should review their own legal and support obligations and consider whether supplementary commercial support is necessary.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
As add-ons extend a security testing tool, code quality and maintenance status are relevant. CodeQL and SonarCloud are used for static analysis (badges present); evidence of security-focused CI. Add-ons execute within ZAP's JVM process with access to scanned application data; malicious or poorly-written add-ons could impact scan integrity or expose sensitive information. Use official releases and verify source code for custom add-ons. No security audit data or vulnerability disclosure policy provided in excerpt.
Alternatives to consider
Burp Suite Community / Professional Extensions
Competing DAST platform with a larger commercial extension ecosystem; more UI polish and enterprise support, but proprietary licensing and higher cost at professional tier.
OWASP ZAP Core (standalone)
If specific add-ons are not required, ZAP core functionality may suffice for baseline dynamic scanning; simpler deployment with fewer dependencies.
Checkmarx SAST/DAST or Veracode
Commercial platforms with managed scanning, advanced integrations, and vendor support; higher cost but reduces operational overhead for large enterprises.
Build on zap-extensions with DEV.co software developers
Explore ZAP Extensions on GitHub, review the build documentation, and evaluate which add-ons align with your AppSec workflow. For teams needing vendor support, compare with commercial alternatives.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
zap-extensions FAQ
Can I use ZAP Extensions in a commercial product?
Do I need to build add-ons myself, or are pre-built versions available?
What is the maintenance and support model?
How do I integrate ZAP Extensions into CI/CD?
Software development & web development with DEV.co
From first prototype to production, DEV.co delivers software development services around tools like zap-extensions. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.
Ready to extend ZAP's scanning capabilities?
Explore ZAP Extensions on GitHub, review the build documentation, and evaluate which add-ons align with your AppSec workflow. For teams needing vendor support, compare with commercial alternatives.