The OWASP ZAP is a tool that can perform the automated pen test of an application. This tool can run in two modes:

• A baseline scan: The baseline scan takes only a few minutes, and it is optimized to iterate over as many security risks as possible within those few minutes. This makes the baseline scan quick enough to be run early on in the deployment pipeline. It is even possible to run the security scan after every deployment to the first test environment, resulting in fast feedback to developers.
• A full active scan: The full active scan takes more time. In this type of scan, the proxy will examine every response from the application to identify other URLs that are part of the application, scanning them as well. In this way, the full application is discovered on the fly, using a spidering approach. This type of scan is more complete, but it also takes more time. For this reason, full scans are often run at intervals, for example, every night.

The OWASP ZAP proxy tries to identify any possible security risks. Some of the most notable risks are SQL injections, JavaScript reflections, and path traversals.

The OWASP ZAP is an application that can be installed on any virtual machine. The disadvantage of this is that the virtual machine is always running, even when there is no scan running. This is more costly, and, of course, the virtual machine itself needs to be patched and secured too. More recently, a containerized version of the proxy was also made available. This container can be run in Azure Container Instances, spinning up the proxy only when needed and tearing it down right after execution.

This completes our introduction to code scanning tools and their implementation. With the help of these tools, you can detect vulnerabilities in your application and prevent any security issues. The next section will examine how you can scan application dependencies.