How to import OpenApi/Swagger API Specification into ZAP

How to import OpenApi/Swagger API Specification into ZAP

In this blog post, we will show you how to import Open API specification into Zap.


Petstore Setup

For this example, we will be using the Swagger Petstore.

And before we import the open api/swagger specification, we will need to start up the petstore. Instructions to do so is found in the github link in prerequisites. We will not be using the docker build way but start up the petstore using the command line. We are using Windows as the OS but it will work the same in other environments. When you are at the command prompt, go to where the petstore source code was downloaded into, at the base of the project directory and run the command mvn package jetty:run

If you encounter errors with dependencies, you might want to replace the dependencies in the pom.xml file with the code snippet below. They work at the time of writing this blog post.


Once you have gotten the petstore to run, check that you can access http://localhost:8080/api/v3/openapi.json in the browser.

Importing the OpenAPI Definition

Once that is done, launch ZAP and import the openapi.json link using the option below.

When the dialog box opens, copy the link below from


and put it in the URL Pointing to OpenAPI defn field of the dialog box. Also, put in http://localhost:8080 into the Target URL field. This tells ZAP what the base url is of the api as it will be scanning it once the import is successful. Click on the “Import” button to import the api specification.

Alternatively, what you can do is to also download the yaml file that contains the api specification from

and choose the option to import the OpenAPI definition from local filesystem.

Value of Target URL is the same in both cases.

Once the import is successful, you should see the parsing successful message as shown below and also new entries in the History tab

Alerts also have been generated in the Alerts tab

Your site tree should also have been populated.

Leave a Comment

Your email address will not be published. Required fields are marked *