Zaproxy: Zap2Docker API Scan - how to set the policy level (default is API-Minimum)
How to set up Scan Policy?
I can see that it uses the minimal policy:
018-02-07 05:17:41,009 Active Scan http://myHosthere:port/ with policy API-Minimal
how to pass different level - at least how to match what UI is currently doing in Standard Mode.
As UI reported more vulnerabilities that Docker scan.
FastNinja
All 4 comments
At the moment it's not possible to specify a policy file with a command line argument. The scanners can be enabled/disabled with the configuration file though:
https://github.com/zaproxy/zaproxy/wiki/ZAP-API-Scan#configuration
If you also want to control the threshold/strength of the active scanners you need to override the policy instead, for example:
-v /path/to/MyCustomPolicy.policy:/home/zap/.ZAP/policies/API-Minimal.policy
(If using a weekly/live image it should be .ZAP_D instead of .ZAP.)
thc202
on 7 Feb 2018
Thanks for quick answer @thc202 ! How could I create this file so it will reflect what UI is doing by default?
FastNinja
on 8 Feb 2018
The scan policies can be exported from the Scan Policy Manager dialogue. [1] If you also want to use the same configurations for the passive scanner (in case you changed the alert threshold), you can also use the config.xml file [2] when starting the image:
-v /path/to/MyConfig.xml:/home/zap/.ZAP/config.xml:rw
(Worth using a copy as the container will write to it.)
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsScanpolicymgr
[2] https://github.com/zaproxy/zaproxy/wiki/FAQconfig
thc202
on 8 Feb 2018
Hi @thc202 , We have to use a scan policy St-High-Th-High.policy, which I believe would be more effective in API scanning. Please advise. Since for now, this cannot be done using the existing options in zap-api-scan.py, We are using a custom python script to use an option to accept the policy name. Can you please suggest if any new scan rules/policy changes applies to zap-api-scan.py script while any updates happen in zap weekly docker image?
Also, the config file to pass in the zap-api-scan.py(-c config_file -> config file to use to INFO, IGNORE or FAIL warnings), we have seen that we can customise this config file to use IGNORE or FAIL for rule ids. But before customising, we would like to know with WARN indicator for all rules and using higher policy St-High-Th-High.policy, will ZAP checks for all the rules while performing active scan?
Looping @psiinon also ..
Thanks
ghost
on 24 Apr 2019
Related issues
bigteejay
路
3Comments
shervyna
路
3Comments
pwnedDesal
路
4Comments
lillesvin
路
3Comments
jmakr0
路
3Comments
Most helpful comment
The scan policies can be exported from the Scan Policy Manager dialogue. [1] If you also want to use the same configurations for the passive scanner (in case you changed the alert threshold), you can also use the
config.xmlfile [2] when starting the image:(Worth using a copy as the container will write to it.)
[1] https://github.com/zaproxy/zap-core-help/wiki/HelpUiDialogsScanpolicymgr
[2] https://github.com/zaproxy/zaproxy/wiki/FAQconfig