This job runs the active scanner. This actively attacks your applications and should therefore only be used against applications that you have permission to test.
By default this job will actively scan the first context defined in the environment and so none of the parameters are mandatory.
- type: activeScan # The active scanner - this actively attacks the target so should only be used with permission parameters: context: # String: Name of the context to attack, default: first context user: # String: An optional user to use for authentication, must be defined in the env policy: # String: Name of the scan policy to be used, default: Default Policy maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0 handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false threadPerHost: # Int: The max number of threads per host, default: 2 policyDefinition: # The policy definition - only used if the 'policy' is not set defaultStrength: # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium defaultThreshold: # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium rules: # A list of one or more active scan rules and associated settings which override the defaults - id: # Int: The rule id as per https://www.zaproxy.org/docs/alerts/ name: # String: The name of the rule for documentation purposes - this is not required or actually used strength: # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium threshold: # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium
The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on. Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.