OWASP ZAP instructions appear to be wrong

[psiinon]

The instructions for using ZAP on https://appdefensealliance.dev/casa/tier-2/ast-guide/dynamic-scan appear to be wrong.
This may well be the wrong place to report this, but I've not been able to find any other alternatives 😉
The problem is the example at the end:

  docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw 
  -t owasp/zap2docker-stable zap-full-scan.py 
  -t https://example.com -P 8080 
  -c zap-casa-config.conf -x results-full.xml 
  -n /Users/DemoUser/Documents/Context.context -U test@example.com

The context file /Users/DemoUser/Documents/Context.context will not be accessible as that folder has not been mounted.
It should be something like /zap/wrk/Context.context, assuming that the user has put that context file in their CWD.

[stevebauman]

For a beginner to ZAP trying to get an application certified for Google OAuth certification, this process has been a nightmare to say the least. Been trying to get this running on my MacBook Pro M2, and haven't managed to get it running without errors.

These commands shown in the docs also cannot be simply pasted in the terminal to be executed, as the arguments are broken up with newlines (\n).

[stevebauman]

For anyone else looking at this issue experiencing problems, I had to edit the context file output by the ZAP UI and add in a <incregexes> element with my test URL:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
    <context>
        <name>https://example.com</name>
        <desc/>
        <inscope>true</inscope>
+	<incregexes>https://example.com*</incregexes>
        <tech>
        ...

Then, place both the zap-casa-config.conf and context.context into the same folder, cd into that folder in the terminal, and run the below command:

docker run -p 8080:8080 -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://example.com -P 8080 -c zap-casa-config.conf -r results-full.html -n /zap/wrk/context.context -U username

[felipecao]

I can confirm this process is a nightmare. I've been trying to make this thing work for the last 4h and i'm still hitting my head against the wall. Why not simply providing a script that allows us to download ZAP, add some config files to it and take it from there?!