DEV.co
Open-Source Security · zaproxy

zap-extensions

ZAP Extensions is a collection of add-ons for the Zed Attack Proxy (ZAP), an open-source dynamic application security testing (DAST) tool. These extensions expand ZAP's capabilities for application security scanning and vulnerability detection, and can be installed directly within the ZAP application or manually via GitHub releases.

Source: GitHub — github.com/zaproxy/zap-extensions
934
GitHub stars
795
Forks
HTML
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryzaproxy/zap-extensions
Ownerzaproxy
Primary languageHTML
LicenseApache-2.0 — OSI-approved
Stars934
Forks795
Open issues56
Latest releasewebdriverwindows-v208 (2026-07-08)
Last updated2026-07-08
Sourcehttps://github.com/zaproxy/zap-extensions

What zap-extensions is

A Gradle-based repository containing modular add-ons for ZAP, housed under the `addOns` directory with each add-on as a separate project. Add-ons are distributed as compiled packages via GitHub releases and can be loaded into ZAP through the UI or programmatically, enabling extended scanning, reporting, and integration workflows.

Quickstart

Get the zap-extensions source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/zaproxy/zap-extensions.gitcd zap-extensions# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

AppSec Teams Extending ZAP Capabilities

Organizations using ZAP for continuous dynamic application security testing can install purpose-built add-ons to customize scanning workflows, add organizational reporting standards, or integrate with CI/CD pipelines.

Vulnerability Assessment & Penetration Testing

Security practitioners can leverage specialized add-ons to perform targeted scanning against specific vulnerability classes, APIs, or frameworks not covered by ZAP's core functionality.

Open-Source Community Development

Teams contributing security automation tools can build and distribute ZAP add-ons to a broad user base without managing separate deployment infrastructure, leveraging ZAP's established user ecosystem.

Implementation considerations

  • Each add-on must be built using Gradle following the project's build instructions; pre-compiled releases are available but custom add-ons require local compilation.
  • Add-ons are loaded into a running ZAP instance; deployment strategy depends on how ZAP itself is deployed (local desktop, containerized, server).
  • Compatibility matrix between add-on versions and ZAP core versions should be verified before deployment to avoid runtime conflicts.
  • Add-on configuration and state are typically managed within ZAP's configuration files; automated deployment requires scripting or API integration.
  • Contributors and maintainers should be familiar with the Gradle build system and ZAP plugin architecture; onboarding new developers requires security tool expertise.

When to avoid it — and what to weigh

  • Standalone Security Scanning Without ZAP — These extensions require ZAP to be installed and running; they are not standalone tools. If you need a standalone vulnerability scanner, evaluate ZAP Core or alternative DAST platforms directly.
  • Dependency on Specific Add-On Not in Repository — If your workflow requires an add-on that is not present or maintained in this repository, you will need to develop it in-house or source it from elsewhere, adding custom maintenance burden.
  • Unsupported Legacy ZAP Versions — Add-ons are designed for the latest ZAP versions. If your organization is locked on an older ZAP release, compatibility is not guaranteed and backward-porting may be required.
  • Enterprise Support & SLA Requirements — This is an open-source community-driven project. If you require guaranteed commercial support, SLAs, or vendor-backed prioritization, evaluate commercial DAST solutions instead.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive OSI-approved license permitting commercial use, modification, and redistribution with proper attribution and liability disclaimer.

Apache-2.0 permits commercial use of the add-ons and derivative works. However, this is community-maintained open-source software without vendor backing or support warranties. Organizations integrating these add-ons into commercial products should review their own legal and support obligations and consider whether supplementary commercial support is necessary.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

As add-ons extend a security testing tool, code quality and maintenance status are relevant. CodeQL and SonarCloud are used for static analysis (badges present); evidence of security-focused CI. Add-ons execute within ZAP's JVM process with access to scanned application data; malicious or poorly-written add-ons could impact scan integrity or expose sensitive information. Use official releases and verify source code for custom add-ons. No security audit data or vulnerability disclosure policy provided in excerpt.

Alternatives to consider

Burp Suite Community / Professional Extensions

Competing DAST platform with a larger commercial extension ecosystem; more UI polish and enterprise support, but proprietary licensing and higher cost at professional tier.

OWASP ZAP Core (standalone)

If specific add-ons are not required, ZAP core functionality may suffice for baseline dynamic scanning; simpler deployment with fewer dependencies.

Checkmarx SAST/DAST or Veracode

Commercial platforms with managed scanning, advanced integrations, and vendor support; higher cost but reduces operational overhead for large enterprises.

Software development agency

Build on zap-extensions with DEV.co software developers

Explore ZAP Extensions on GitHub, review the build documentation, and evaluate which add-ons align with your AppSec workflow. For teams needing vendor support, compare with commercial alternatives.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

zap-extensions FAQ

Can I use ZAP Extensions in a commercial product?
Yes, Apache-2.0 permits commercial use. However, you must retain license notices and disclaimer. This is community-maintained software without vendor warranties; evaluate your support and liability needs separately.
Do I need to build add-ons myself, or are pre-built versions available?
Pre-built add-ons are available via GitHub releases and can be downloaded and installed into ZAP. Building locally is only necessary if modifying or developing custom add-ons using Gradle.
What is the maintenance and support model?
This is open-source community-driven software. Support comes via GitHub issues and community forums. No commercial SLA or guaranteed response time. Individual add-ons may have varying maintenance levels.
How do I integrate ZAP Extensions into CI/CD?
ZAP itself must be deployed (containerized or headless). Add-ons are loaded into ZAP; CI/CD orchestration is via ZAP API calls, not add-on-specific tools. See ZAP documentation for CI/CD integration patterns.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like zap-extensions. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source security and beyond.

Ready to extend ZAP's scanning capabilities?

Explore ZAP Extensions on GitHub, review the build documentation, and evaluate which add-ons align with your AppSec workflow. For teams needing vendor support, compare with commercial alternatives.