proof of concept build a java assembly (fat jar) that contains a release of zap and can run it with the config we want

GetZap.scala

//> using dep com.lihaoyi::requests:0.9.0
//> using toolkit 0.5.0
//> using file RunZap.scala
//> using mainClass getZap

@main def getZap =
  os.write.over(
    os.pwd / "resources" / s"ZAP_${zapVersion}_Core.zip",
    requests.get.stream(s"https://github.com/zaproxy/zaproxy/releases/download/v$zapVersion/ZAP_${zapVersion}_Core.zip"),
    createFolders = true
  )

RunZap.scala

//> using resourceDir ./resources
//> using dep "com.github.pathikrit::better-files:3.9.2"

import better.files.*
import java.nio.file.attribute.PosixFilePermission.*
import scala.util.Using
import scala.sys.process.*

val zapVersion = "2.15.0"

@main def runZap =
  val zapDir = File.newTemporaryDirectory("zap").deleteOnExit()

  Using(Resource.getAsStream(s"ZAP_${zapVersion}_Core.zip").asZipInputStream): zis =>
    LazyList
      .continually(zis.getNextEntry)
      .takeWhile(_ != null)
      .foreach: zipEntry =>
        val outFile = (zapDir / zipEntry.getName)
        if (zipEntry.isDirectory)
        then
          outFile.createDirectories()
        else
          outFile.parent.createDirectories()
          Using(outFile.newOutputStream)(zis.transferTo)

  val zapScript = zapDir / s"ZAP_$zapVersion" / "zap.sh"

  zapScript.addPermission(OWNER_EXECUTE)

  Process(Seq(zapScript.path.toAbsolutePath.toString, "-daemon", "-config", "api.disablekey=true", "-silent", "-port", "11000")).run()

  // download zap release
  // $ scala-cli GetZap.scala

  // build into an assembly (fat jar)
  // $ scala-cli --power package -o RunZap --assembly RunZap.scala --force

  // start zap
  // $ ./RunZap

  // assembly created is about 100mb - most of that is the zap zip

  // wait for it to startup

  // make some requests through the proxy
  // $ curl --proxy http://localhost:11000 --insecure https://www.tax.service.gov.uk/contact/report-technical-problem/

  // while it's still running, check out the report in your browser
  // $ open "http://localhost:11000/OTHER/core/other/htmlreport/"

  // if you want to keep the report, then save it from your browser

download this gist as a zip, unpack to a folder, and then follow the steps at the bottom of RunZap.scala to create an assembly with a specific version of zap in it that when you run it will unpack zap to a temporary dir and run it using config we want

it's not enabling / disabling anything in particular

I'm not sure if it's actually tidying up the temporary zap files it extracts in all scenarios

I'm not sure if interrupting the script will be properly interrupting the zap subprocess and not leaking any resources

it's not outputting any helpful information at the moment when you run it to say what to do

the reason why I've done this proof of concept is because currently we have a complicated python based config manager for zap that uses docker which is problematic for us because it means we have to do port forwarding with rinetd and other things which are fiddly and brittle

we also think that zap is supposed to be more of an interactive thing, that you need someone to be able to play around with a little bit - for example with this setup, you could have the RunZap scala script be a cli that takes some arguments so that for example it enables the user interface

this would be the kind of thing that you could also probably have in an sbt plugin so that services could just do something like

sbt startZap
sbt test
sbt openZapReport