One of the most popular security tools for penetration testing heralds from the famous Open Web Application Security Project (OWASP) foundation (owasp.org) and boasts multiple facets within its toolset. OWASP has been around for many years and helps the security community with documentation and methodologies to include security posture among other things. One of the many tools within OWASP's arsenal (a full list of which can be found at owasp.org/www-community/Free_for_Open_Source:Application_Security_Tools) also slots neatly into CI/CD pipelines with ease and is called ZAP, shortened from Zed Attack Proxy (www.zaproxy.org). ZAP is suitably battle-hardened, having matured over the years with many developers improving or introducing features and removing bugs as they went. For the purposes of our use case for ZAP, unlike the broad mix of tools we will look at in subsequent DevSecOps tooling chapters, in this chapter we will look at what are known as baseline scans. Although the venerable ZAP comes with an excellent, easy to navigate user interface (UI), after a quick look at it, we are going to focus on a Cloud Native approach to using ZAP with containers and over the command line. You might think of baseline scans as like utilizing a spider, which is commonly used on the web in a different way to crawl across resources, taking note of them as it goes. In the same way, ZAP will traverse your assets, checking whether they are compliant. ...