ZAP is a community project, and we are always delighted to welcome new contributors!
There are lots of ways you can contribute:
If you have a question or problem relating to using ZAP then the first thing to do is to check the Frequently Asked Questions.
We also include a comprehensive User Guide with ZAP which is also available online: https://github.com/zaproxy/zap-core-help/wiki
If they don't help then please ask on the User Group
If you have found a bug then raise an issue on the zaproxy repo: https://github.com/zaproxy/zaproxy/issues
Its worth checking to see if its already been reported, and including as much information as you can to help us diagnose your problem.
This FAQ explains some useful steps you can follow: https://github.com/zaproxy/zaproxy/wiki/FAQhelp
If you think you have found a vulnerability in ZAP then please report it via our bug bounty program.
We are always very grateful to researchers who report vulnerabilities responsibly and will be very happy to give credit for the valuable assistance they provide.
If you have a suggestion for new functionality then you can raise an issue on the zaproxy repo: https://github.com/zaproxy/zaproxy/issues
Its worth checking to see if its already been requested, and including as much information as you can so that we can fully understand your requirements.
You can help translate the ZAP UI via the Crowdin owasp-zap project.
You can help translate the ZAP User Guide via the Crowdin owasp-zap-help project.
For information about the ZAP Evangelists and how to join up see the ZAP Evangelists wiki page
The source for the ZAP User Guide is underneath the zap-core-tree repo src/help/zaphelp/contents directory.
The Java Help included with ZAP and the online version are both generated from these HTML pages. Send Pull Requests to help us improve it.
If you have a GitHub account you can contribute to the ZAP wikis. The following resources may assist you to that end:
There's always lots of coding to be done! So much so that we've split it into different categories.
All code should follow the Development Rules and Guidelines.
Other resources for ZAP Developers include:
- The Hacking ZAP blog posts
- The Contributing Changes wiki page
- The Internal Details wiki pages
If you are interested in working on any of the code then the Developer Group is the best place to ask questions.
The scan rules define how ZAP can automatically detect vulnerabilities.
We are always looking to improve existing ones and add new ones, so this is a great place to start helping with the ZAP code base.
Much of the ZAP functionality is implemented as add-ons, even features that are included 'as standard' in ZAP releases.
Add-ons are a great way to extend ZAP and can be ideal for student projects - many of the existing add-ons have been implemented by students, either through programs like Google Summer of Code and the Mozilla Winter of Security or directly as part of course work.
The ZAP 'core' underpins all of the other ZAP features, and so ensuring it is as robust as possible is very important.
Fixing issues is very valuable (ones flagged as IdealFirstBug are good ones to start on) and there are always many core improvements we want to make.