Automation Framework - activeScan Job

This job runs the active scanner. This actively attacks your applications and should therefore only be used against applications that you have permission to test.

It is covered in the video: ZAP Chat 12 Automation Framework Part 6 - Delays and Active Scan.

By default this job will actively scan the first context defined in the environment and so none of the parameters are mandatory.

This job supports monitor tests.

YAML

  - type: activeScan                   # The active scanner - this actively attacks the target so should only be used with permission
    parameters:
      context:                         # String: Name of the context to attack, default: first context
      user:                            # String: An optional user to use for authentication, must be defined in the env
      policy:                          # String: Name of the scan policy to be used, default: Default Policy
      maxRuleDurationInMins:           # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
      maxScanDurationInMins:           # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited
      addQueryParam:                   # Bool: If set will add an extra query parameter to requests that do not have one, default: false
      defaultPolicy:                   # String: The name of the default scan policy to use, default: Default Policy
      delayInMs:                       # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
      handleAntiCSRFTokens:            # Bool: If set then automatically handle anti CSRF tokens, default: false
      injectPluginIdInHeader:          # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false
      scanHeadersAllRequests:          # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false
      threadPerHost:                   # Int: The max number of threads per host, default: 2
      maxAlertsPerRule:                # Int: Maximum number of alerts to raise per rule, default: 0 unlimited
    policyDefinition:                  # The policy definition - only used if the 'policy' is not set
      defaultStrength:                 # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
      defaultThreshold:                # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
      rules:                           # A list of one or more active scan rules and associated settings which override the defaults
      - id:                            # Int: The rule id as per https://www.zaproxy.org/docs/alerts/
        name:                          # String: The name of the rule for documentation purposes - this is not required or actually used
        strength:                      # String: The Attack Strength for this rule, one of Low, Medium, High, Insane, default: Medium
        threshold:                     # String: The Alert Threshold for this rule, one of Off, Low, Medium, High, default: Medium

Job Data

The following class will be made available to add-ons that provide access to the Job Data such as the Reporting add-on. Note that in this case the data is from the last Active Scan, regardless of whether it was started by the Automation Framework, the UI, or the API.