Here’s a clean, step-by-step guide to install the latest OWASP ZAP on any OS, plus quick checks and headless/CI tips.
Latest version right now: ZAP 2.16.1 (stable). (ZAP)
1) Pick your install method (per OS)
Windows
Easiest (Winget)
winget install --id=ZAP.ZAP -e
To update later:
winget upgrade ZAP.ZAP
Code language: CSS (css)(ZAP)
Alternative (Scoop)
scoop install zaproxy
(ZAP)
Traditional installer
- Download the Windows Installer for 2.16.1.
- Double-click, accept license, finish.
(Windows builds require Java 17+; see step 2.) (ZAP)
macOS
Homebrew (recommended)
brew install --cask zap
(2.16.1 as of today.) (Homebrew Formulae)
Direct installer
- Download the macOS (Intel/Apple Silicon) installer and run it.
(Mac installers include Java 17.) (ZAP)
Linux (Ubuntu/Debian/Fedora/…)
Snap (simple & maintained by ZAP team)
sudo snap install zaproxy --classic
# later:
sudo snap refresh zaproxy
Code language: PHP (php)Then run:
zaproxy
(ZAP)
Flatpak
flatpak install flathub org.zaproxy.ZAP
flatpak run org.zaproxy.ZAP
Code language: CSS (css)(ZAP)
Official Linux repos (RPM/DEB via openSUSE Build Service)
- Follow the repo instructions for your distro on the “Linux Repos” link, then install the
zap/zaproxypackage. (ZAP)
Docker (great for CI/CD or zero-Java setup)
Pull a prebuilt image:
docker pull ghcr.io/zaproxy/zaproxy:stable
# or docker pull zaproxy/zap-stable
Code language: PHP (php)(ZAP)
2) Pre-req: Java (when needed)
- Required for Windows/Linux installers and cross-platform zip: Java 17+.
- Not needed for Docker; bundled on macOS installer.
Get Java 17 (Temurin) if you don’t have it. (ZAP)
3) Verify the install & version
Desktop / CLI
- Start ZAP from Start Menu (Win), Applications (macOS), or
zaproxy(Linux). - Or print version via script:
# macOS /Applications/ZAP.app/Contents/Java/zap.sh -version # Linux zap.sh -version # Windows "C:\Program Files\ZAP\Zed Attack Proxy\zap.bat" -version(ZAP)
(Optional) Verify checksums
Checksums are listed on the 2.16.1 release—compare after download. (ZAP)
4) First run tips (TLS & Add-ons)
- If you’ll proxy HTTPS traffic through ZAP, install the ZAP Root CA in your browser (Options → Network → Server Certificates; generate/save, then import to your browser’s trusted roots). (ZAP)
- Extend ZAP via Marketplace (Manage Add-ons). (ZAP)
5) Headless / automation (CI quick wins)
Start ZAP headlessly with API key
zap.sh -daemon -host 127.0.0.1 -port 8090 -config api.key=YOUR_SECRET_KEY
(Use zap.bat on Windows.) API key is required by default for security. (ZAP)
Packaged Docker scans
- Baseline (passive, prod-safe)
docker run -t ghcr.io/zaproxy/zaproxy:stable \ zap-baseline.py -t https://example.com -r report.html(Mount-v $(pwd):/zap/wrkto save reports.) (ZAP) - Full scan (includes active attacks)
docker run -t ghcr.io/zaproxy/zaproxy:stable \ zap-full-scan.py -t https://example.com -r full.html(ZAP)
Automation Framework (YAML plans)
zap.sh -cmd -autogenmin zap-plan.yaml
zap.sh -cmd -autorun zap-plan.yaml
Code language: CSS (css)(ZAP)
Quick “happy path” per OS (copy/paste)
- Windows (winget)
winget install --id=ZAP.ZAP -eLaunch “ZAP” from Start Menu. (ZAP) - macOS (brew)
brew install --cask zap open -a ZAP(Homebrew Formulae) - Linux (snap)
sudo snap install zaproxy --classic zaproxy(Snapcraft) - Docker (baseline scan)
docker run -t ghcr.io/zaproxy/zaproxy:stable \ zap-baseline.py -t https://example.com -r report.html(ZAP)
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
