Quickstart with OWASP ZAP

The Levo.ai add-on for ZAP builds OpenAPI specs from traffic sent through or proxied by ZAP.

This guide assumes that you have signed up for a Levo account and have installed a recent version of ZAP (2.12.0 or later).

Setup steps

1. Install and configure the Satellite

The OpenAPI spec is built by sending anonymized API traces to Levo. You can run the Satellite (a set of services that receives and processes traces) locally using Docker or Minikube, or on AWS with a Levo-provided AMI.

Click here for instructions on installing the Satellite.

Make sure ZAP can reach the Satellite at the configured listening port (default: 9999).

2. Install the Levo.ai add-on

Launch ZAP and install the Levo.ai add-on from the ZAP Marketplace. You may need to restart ZAP after the add-on is installed.

3. Verify installation

If the add-on is successfully installed, you should see a new button in the main toolbar.

Clicking it toggles sending traffic to the Levo Satellite.

4. Configure the Satellite URL

Navigate to Tools → Options → Levo.ai in ZAP and enter the URL for the Satellite (for example, http://localhost:9999).

Screenshot of the Levo.ai Options Panel in ZAP

5. Start capturing traffic

Ensure the Levo button is enabled in the toolbar. Start browsing your website using ZAP; you should see auto-discovered applications in your Levo dashboard within a few minutes.

Setup steps​

1. Install and configure the Satellite​

2. Install the Levo.ai add-on​

3. Verify installation​

4. Configure the Satellite URL​

5. Start capturing traffic​