Scan domains with ZAP

Aikido's surface monitoring is built on top of ZAP and Nuclei. Aikido uses these to monitor your app's public attack surface by probing your domain names for weaknesses.

What is Surface Monitoring Scanning?

Surface monitoring, sometimes better known as Dynamic Application Security Testing (DAST) inspects all the externally-facing components of your software, including the application programming interfaces (APIs), web pages, data transfer protocols, and other user-facing features.

Overview of checks performed

To see the checks performed by the Surface Monitoring Scanner, visit our checks overview page. Here, you'll find a detailed list of all the checks performed during the scan. Aikido will only perform safe, non-destructive automated test (eg no automated SQL injection attempts,..).

Add a domain to be scanned with ZAP

Navigate to the Domains Overview Page or Domains Settings.
Fill in the service URL for the repositories which have public-facing domains by filling out the configuration form. You can specify full paths.
Choose Self-Built (scan via ZAP)
Optional: link your domain to a repository or domain
Optional: set the sensitivity of the data

Once you've completed the form, simply start a scan for your this domain. The Surface Monitoring Scanner will then get to work, scanning your software surface for any signs of potential threats and report the issues in your feed. All issues can also be viewed in the domain detail page.

Set Up Surface Monitoring →

Export RAW SBOM of your containers

Scan 3rd party applications that you host with Nuclei