Hereโs a clean, step-by-step guide to install the latest OWASP ZAP on any OS, plus quick checks and headless/CI tips.
Latest version right now: ZAP 2.16.1 (stable). (ZAP)
1) Pick your install method (per OS)
Windows
Easiest (Winget)
winget install --id=ZAP.ZAP -e
To update later:
winget upgrade ZAP.ZAP
Code language: CSS (css)(ZAP)
Alternative (Scoop)
scoop install zaproxy
(ZAP)
Traditional installer
- Download the Windows Installer for 2.16.1.
- Double-click, accept license, finish.
(Windows builds require Java 17+; see step 2.) (ZAP)
macOS
Homebrew (recommended)
brew install --cask zap
(2.16.1 as of today.) (Homebrew Formulae)
Direct installer
- Download the macOS (Intel/Apple Silicon) installer and run it.
(Mac installers include Java 17.) (ZAP)
Linux (Ubuntu/Debian/Fedora/โฆ)
Snap (simple & maintained by ZAP team)
sudo snap install zaproxy --classic
# later:
sudo snap refresh zaproxy
Code language: PHP (php)Then run:
zaproxy
(ZAP)
Flatpak
flatpak install flathub org.zaproxy.ZAP
flatpak run org.zaproxy.ZAP
Code language: CSS (css)(ZAP)
Official Linux repos (RPM/DEB via openSUSE Build Service)
- Follow the repo instructions for your distro on the โLinux Reposโ link, then install the
zap/zaproxypackage. (ZAP)
Docker (great for CI/CD or zero-Java setup)
Pull a prebuilt image:
docker pull ghcr.io/zaproxy/zaproxy:stable
# or docker pull zaproxy/zap-stable
Code language: PHP (php)(ZAP)
2) Pre-req: Java (when needed)
- Required for Windows/Linux installers and cross-platform zip: Java 17+.
- Not needed for Docker; bundled on macOS installer.
Get Java 17 (Temurin) if you donโt have it. (ZAP)
3) Verify the install & version
Desktop / CLI
- Start ZAP from Start Menu (Win), Applications (macOS), or
zaproxy(Linux). - Or print version via script:
# macOS /Applications/ZAP.app/Contents/Java/zap.sh -version # Linux zap.sh -version # Windows "C:\Program Files\ZAP\Zed Attack Proxy\zap.bat" -version(ZAP)
(Optional) Verify checksums
Checksums are listed on the 2.16.1 releaseโcompare after download. (ZAP)
4) First run tips (TLS & Add-ons)
- If youโll proxy HTTPS traffic through ZAP, install the ZAP Root CA in your browser (Options โ Network โ Server Certificates; generate/save, then import to your browserโs trusted roots). (ZAP)
- Extend ZAP via Marketplace (Manage Add-ons). (ZAP)
5) Headless / automation (CI quick wins)
Start ZAP headlessly with API key
zap.sh -daemon -host 127.0.0.1 -port 8090 -config api.key=YOUR_SECRET_KEY
(Use zap.bat on Windows.) API key is required by default for security. (ZAP)
Packaged Docker scans
- Baseline (passive, prod-safe)
docker run -t ghcr.io/zaproxy/zaproxy:stable \ zap-baseline.py -t https://example.com -r report.html(Mount-v $(pwd):/zap/wrkto save reports.) (ZAP) - Full scan (includes active attacks)
docker run -t ghcr.io/zaproxy/zaproxy:stable \ zap-full-scan.py -t https://example.com -r full.html(ZAP)
Automation Framework (YAML plans)
zap.sh -cmd -autogenmin zap-plan.yaml
zap.sh -cmd -autorun zap-plan.yaml
Code language: CSS (css)(ZAP)
Quick โhappy pathโ per OS (copy/paste)
- Windows (winget)
winget install --id=ZAP.ZAP -eLaunch โZAPโ from Start Menu. (ZAP) - macOS (brew)
brew install --cask zap open -a ZAP(Homebrew Formulae) - Linux (snap)
sudo snap install zaproxy --classic zaproxy(Snapcraft) - Docker (baseline scan)
docker run -t ghcr.io/zaproxy/zaproxy:stable \ zap-baseline.py -t https://example.com -r report.html(ZAP)
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals
This blog is a very practical and up-to-date guide for anyone who wants to install OWASP ZAP correctly without wasting time on outdated steps. I really like how it covers all major platformsโWindows, macOS, Linux, and Dockerโwith clear commands for winget, Homebrew, Snap, and containers, plus reminders about Java 17 requirements. The sections on verifying the installation, handling HTTPS with root certificates, and using ZAP in headless/CI modes are especially useful for security engineers and DevSecOps teams who want to integrate ZAP into automated pipelines. Overall, itโs a clean, beginner-friendly yet professional walkthrough that helps readers move from download to real-world security scanning very quickly.