For a full list of the HTTP active and passive scan rules see the Alert Details page.
By default ZAP comes with the following (HTTP) ‘release’ quality rules:
But you can also download and install:
- Beta Active Scan Rules
- Beta Passive Scan Rules
- Alpha Active Scan Rules
- Alpha Passive Scan Rules
- Advanced SQLInjection Active Scan Rule
- DOM XSS Active Scan Rule
- Image Location and Privacy Scanner
from the ZAP Marketplace.
And there are also these scripts in the community scripts repo:
The full list of reserved scan ids is maintained in scanners.md