security-zap-scan

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Chinese

Run a ZAP baseline security scan against the local application.

针对本地应用运行ZAP基线安全扫描。

Check prerequisites:
- Verify Docker is installed and running:
```
docker info
```
- Check if
```
scripts/zap-baseline.sh
```
  exists in the project
Execute scan:
- If the script exists, run:
```
bash scripts/zap-baseline.sh
```
- If the script does not exist, inform the user that this project does not have a ZAP baseline scan configured
Analyze results:
- After the scan completes, read
```
zap-report.html
```
  (or
```
zap-report.md
```
  for text)
- Summarize findings:
  - Total number of alerts by risk level (High, Medium, Low, Informational)
  - List each Medium+ finding with its rule ID, name, and recommended fix
  - Categorize findings as "infrastructure-level" (fix at CDN/proxy) vs "application-level" (fix in code)
Handle failures:
- If the scan failed, explain what failed and suggest concrete remediation steps

检查前置条件:
- 验证Docker已安装并运行:
```
docker info
```
- 检查项目中是否存在
```
scripts/zap-baseline.sh
```
  脚本
执行扫描:
- 如果脚本存在，运行:
```
bash scripts/zap-baseline.sh
```
- 如果脚本不存在，告知用户该项目未配置ZAP基线安全扫描
分析结果:
- 扫描完成后，读取
```
zap-report.html
```
  （或文本格式的
```
zap-report.md
```
  ）
- 总结发现的问题:
  - 按风险级别（高、中、低、信息性）统计警报总数
  - 列出所有中高风险的问题，包含其规则ID、名称及推荐修复方案
  - 将问题分为“基础设施级”（在CDN/代理层修复）与“应用程序级”（在代码中修复）两类
处理失败情况:
- 如果扫描失败，说明失败原因并给出具体的修复步骤

Run the scan now.

立即运行扫描。