Skip to main content

Halo CLI with OWASP Zap

Run your OWASP Zap scans and generate the results XML file

  • Run a scan in the ZAP desktop app
  • Go to Report → Generate Report
  • Select XML as the format
  • Save the file

The built in reports are copied into the ‘reports’ directory underneath the ZAP default directory. Each report is in its own subdirectory. Zap will generate one XML file for a full scan. This XML file can be uploaded to Halo.

Uploading your Zap scan results to Halo

To upload the XML results file to Halo, install the Halo CLI.

Generate an API key in Halo from the project 'Settings' page. API keys are project specific and will dictate the project to which data is sent.

info

Due to the secure nature of the ZAP scan data, the XML report is encrypted at upload with a passphrase that you will need to supply. When anyone attempts to click on a ZAP run card to expose the underlying data, they will be prompted to enter the passphrase to decrypt the content for full display.

You can also include metadata in your Halo reporting with the use of the '--metadata' flag. Any following environment variables with the HALO_ prefix will be uploaded as metadata. For security reasons, HALO_TOKEN will not be stored or displayed.

export HALO_TOKEN=<apiKey>

halo zap \
    --file results/zapTest1.xml \
    --instance https://<orgId>.testevolve.io \
    --label zap-run-test \
    --metadata KEY=VALUE --metadata KEY=VALUE \
    --passphrase 'thisissecure' \

You should now see your labelled OWASP ZAP test results in Halo. If you used a new label or a label that is not currently assigned to a Halo hierarchy node, you'll find the results on the 'Unassigned Labels' page as well as the 'Home' page.

If you used a label that is assigned to a Halo hierarchy node, you'll find the results on the targeted node as well as the 'Home' page.