ZAP DAST Pipeline Integration FAQs

Question 1

How do I handle false positives in the pipeline?

Accepted Answer

You can use a rules configuration file (rules.tsv) to IGNORE specific rule IDs or set them to WARN, preventing known non-issues from failing your CI/CD pipeline.

Question 2

What is the difference between ZAP Baseline and Full scans?

Accepted Answer

A Baseline scan is a quick, passive crawl that identifies security headers and configurations without sending attack payloads, while a Full scan performs active attacks to find exploitable vulnerabilities like SQLi.

Question 3

Does DAST replace SAST tools?

Accepted Answer

No, DAST tests the running application (black-box) to find runtime issues, while SAST analyzes source code (white-box). They are complementary and both are essential for a secure SDLC.

Question 4

Can I use this for API security testing?

Accepted Answer

Yes, this skill includes specific workflows for API scanning using OpenAPI (Swagger) specifications to systematically test endpoints for injection and authorization flaws.

Question 5

Can I run these scans locally before pushing code?

Accepted Answer

Yes, the skill provides Docker Compose configurations to run OWASP ZAP scans against your local containerized application, allowing you to catch issues before they reach the repository.

ZAP DAST Pipeline Integration

주요 기능

사용 사례

ZAP DAST Pipeline Integration

주요 기능

사용 사례