How to run OWASP ZAP Docker Image

Installation Instructions
You can install Docker image with OWASP ZAP pre-installed, using following command. Note that there are 3 versions called stable, weekly and live. Following will install the stable version.
docker pull owasp/zap2docker-stableZAP GUI in Web Browser
Starting from ZAP 2.5.0, you can run the ZAP desktop GUI in a web browser, using following command.
docker run -u zap -p 8080:8080 -p 8090:8090 -i owasp/zap2docker-stable zap-webswing.shThen point the browser at http://localhost:8080/?anonym=true&app=ZAP You can view the usual desktop GUI of ZAP, in your browser.
Run ZAP in Headless Mode
Use following command to run ZAP in headless mode.
docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080Accessing the API from outside of the Docker container:
By running the following command, the ZAP API is accessible in http://0.0.0.0:8090/ But Docker seems to be assigning random IP addresses to the container.
First run the following command to listen to the port 0.0.0.0:8090
docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0Next, run the following command to check the running container id/ name
docker psThen, use the following command to check the IP address of the container
docker inspect <CONTAINER ID/ NAME> | grep IPAddressNow you will be able to point the browser at the specified IP address with port 8090 (eg: http://172.17.0.2:8090/ )
[IMPORTANT] Required Configurations to run ZAP Docker Image
API Key
As a new security feature, new ZAP releases (ex-ZAP 2.6.0) require an API key by default in order to invoke API operations. This is included to prevent malicious sites from invoking ZAP API.
You can add the API key manually as follows.
-config api.key=change-me-9203935709However you can disable the API key. This is not recommended unless you are using ZAP in a completely isolated environment, as it allows malicious sites to access the ZAP API.
-config api.disablekey=trueAllowed IP Addresses
Moreover, ZAP doesn’t allow IP addresses to connect to the ZAP API, other than the IP address of the local machine. You can allow a specific IP address to connect by using:
-config api.addrs.addr.name=172.143.652.123However, if you use ZAP in completely isolated environment, you can allow all the IP addresses to connect to ZAP API.
-config api.addrs.addr.name=.* -config api.addrs.addr.regex=trueAs an example, the final command to run ZAP in headless mode might look like this:
docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true