[SOLVED] Using Zed Attack Proxy on Windows with Podman running on WSL and output a report as JSON gives ZAP failed to access: http://localhost:3000

Using Zed Attack Proxy on Windows with Podman running on WSL and output a report as JSON gives ZAP failed to access: http://localhost:3000

I am trying to scan a website with Zed Attack Proxy on my Windows 11 computer.

What I have done to setup ZAProxy:

Download Windows Subsystem for Linux (WSL): wsl.exe --install
Download podman-installer-windows-amd64.msi from https://github.com/containers/podman/releases
Start Podman: podman machine init and podman machine start
Pull ZAP Docker images: podman pull ghcr.io/zaproxy/zaproxy:stable and podman pull zaproxy/zap-stable

Setup test site to scan:

Download NodeJS
Clone https://github.com/juice-shop/juice-shop
Run npm install and npm start
Juice shop now runs on http://localhost:3000

Scan:

I now try to scan the test site:

podman run --rm --network=host -v ${PWD}\zap-reports:/zap/wrk:Z ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t http://localhost:3000 -J /zap/wrk/zap_report.json

But this does not give me a JSON report.

It gives error: 2025-12-23 10:30:33,118 I/O error: [Errno 5] ZAP failed to access: http://localhost:3000

Full error:

2025-12-23 10:30:33,118 I/O error: [Errno 5] ZAP failed to access: http://localhost:3000
Traceback (most recent call last):
  File "/zap/zap-full-scan.py", line 348, in main
    zap_access_target(zap, target)
  File "/zap/zap_common.py", line 108, in _wrap
    return_data = func(*args_list, **kwargs)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/zap/zap_common.py", line 404, in zap_access_target
    raise IOError(errno.EIO, 'ZAP failed to access: {0}'.format(target))
OSError: [Errno 5] ZAP failed to access: http://localhost:3000
Found Java version 17.0.17
Available memory: 5787 MB
Using JVM args: -Xmx1446m
502 [main] INFO  org.parosproxy.paros.Constant - Copying default configuration to /home/zap/.ZAP/config.xml
641 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/zap/.ZAP/session
642 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/zap/.ZAP/dirbuster
642 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/zap/.ZAP/fuzzers
643 [main] INFO  org.parosproxy.paros.Constant - Creating directory /home/zap/.ZAP/plugin
731 [main] INFO  org.zaproxy.zap.DaemonBootstrap - ZAP 2.17.0 started 23/12/2025, 10:30:23 with home: /home/zap/.ZAP/ cores: 12 maxMemory: 1 GB
788 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config database.recoverylog = false was null
789 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was null
790 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was null
790 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was null
790 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 0 was null
790 [main] INFO  org.parosproxy.paros.common.AbstractParam - Setting config stats.pkg.fullscan-api = 1 was null
PS C:\Users\admin>

Solution

You are running ZAP in Docker. 127.0.0.1 is local to that docker image, it will not give you access to Juice Shop running in the host OS. You can check that using another tool like curl: curl http://127.0.0.1:3000 will also fail.

You need to give ZAP an address that works.
See https://www.zaproxy.org/docs/docker/about/#scanning-an-app-running-on-the-host-os