npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@zapholm/zap-cli-tool

v1.0.0

Published

A CLI for configuring ZAP authentication, running scans, and generating reports.

Downloads

2

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mockholmmockholm

Keywords

zapcliowaspscannersecurity

Readme

⚡ ZAP CLI Tool — Usage Guide

A command-line utility built in TypeScript to control OWASP ZAP for authentication, scanning, and report generation. Powered by yargs and fully customizable with CLI flags.

📦 Installation & Setup

Run via Node:

ts-node bin/index.ts <command> [options]

Or add an npm script shortcut:

"scripts": {
  "zap": "ts-node bin/index.ts"
}

Then call:

npm run zap -- scan --target https://your.site --contextName MyCtx --apiKey 12345

🔐 auth — Configure Authentication

Configures a context-specific authentication scheme using ZAP.

zap-tool auth --mode basic --target <URL> --context <CTX> --apiKey <KEY> [options]

Available Flags

| Flag | Type | Required | Description | |------------------|----------|----------|--------------------------------------------------------------------------------| | --mode | string | ✅ | Auth type: basic, session, jwt, header, cert | | --target | string | ✅ | Target URL for authentication | | --context | string | ✅ | Name of the ZAP context | | --apiKey | string | ✅ | ZAP API key for authorized interaction | | --zapHost | string | ❌ | Host of ZAP proxy (default: localhost) | | --zapPort | number | ❌ | Port of ZAP proxy (default: 8080) | | --username | string | ❌ | Username for BASIC or SESSION auth | | --password | string | ❌ | Password for BASIC or SESSION auth | | --jwt | string | ❌ | JWT token for Bearer auth via scripting | | --headerName | string | ❌ | Header name for header-based authentication | | --headerValue | string | ❌ | Header value to inject | | --certPath | string | ❌ | Path to client certificate file | | --certPassword | string | ❌ | Password for client certificate | | --verbose | boolean | ❌ | Enables logging for verbose output |

🕸️ scan — Run Spider + Active Scan

Starts a spider (AJAX optional) followed by active scan using context and user identity.

zap-tool scan --target <URL> --contextName <CTX> --apiKey <KEY> [options]

Available Flags

| Flag | Type | Required | Description | |------------------|----------|----------|-----------------------------------------------------------------------| | --target | string | ✅ | Target URL to scan | | --contextName | string | ✅ | ZAP context name | | --apiKey | string | ✅ | ZAP API key | | --zapHost | string | ❌ | Host of ZAP proxy (default: localhost) | | --zapPort | number | ❌ | Port of ZAP proxy (default: 8080) | | --userName | string | ❌ | ZAP internal user name to scan as | | --useUser | boolean | ❌ | Whether to scan as a specific user (default: false) | | --ajax | boolean | ❌ | Use AJAX spider (default: false) | | --minRisk | string | ❌ | Minimum risk to include in alerts: Low, Medium, High, Informational | | --confidence | string | ❌ | Minimum confidence level: Low, Medium, High, Confirmed | | --outputJson | string | ❌ | Save scan results to file as JSON | | --verbose | boolean | ❌ | Print verbose scan details |

📄 report — Generate Vulnerability Report

Generates a report in specified format using the ZAP context.

zap-tool report --contextName <CTX> --output ./report.html --apiKey <KEY> [options]

Available Flags

| Flag | Type | Required | Description | |------------------|----------|----------|-----------------------------------------------------------------------| | --contextName | string | ✅ | Name of ZAP context to report on | | --output | string | ✅ | Path to save output report | | --apiKey | string | ✅ | ZAP API key | | --zapHost | string | ❌ | Host of ZAP proxy (default: localhost) | | --zapPort | number | ❌ | Port of ZAP proxy (default: 8080) | | --format | string | ❌ | Report format. Options: html, pdf, jest, markdown, composite_json | | --threshold | string | ❌ | Filter alerts below this risk: Low, Medium, High | | --open | boolean | ❌ | Auto-open generated report in system viewer (HTML or PDF only) |

🧠 Notes

  • All commands require --apiKey to communicate with ZAP proxy
  • Contexts must be defined in ZAP prior to scanning or reporting
  • You can inject host and port flags to target remote ZAP instances
  • Verbose logging helps with debugging integration into CI/CD pipelines