DAST Scanning

Excluding URLs From Being Scanned

1min

In some situations specific URLs need to be excluded from DAST scans. This can include areas of the application which are out of scope, such as documentation endpoints, or in larger applications this may be necessary because the DAST scans need to be segmented by specific application areas. For example testing the main site vs an admin sub-section of the site.

The --excludeUrlsFile parameter can be used to point to a text file containing a single URL per line to exclude. The URLs may be exact matches, simple wildcard matches, or basic Regex.

Example file:

https://my-site.com/blog* https://my-site.com/about/ ^https://my-site.com/wp-content/.+$

Pass the --excludeUrlsFile=<exclude_urls_file>.txt parameter and ensure that the file exists in the mapped local directory (c:\local-path in this case).

docker run -v c:\local-path:/zap/wrk/:rw -it --rm soosio/dast --clientId=<soos_client_id> --apiKey="<soos_apikey>" --projectName="<project_name>" --excludeUrlsFile=exclude_urls.txt --scanMode=baseline https://url-to-test



Updated 09 Apr 2025
Doc contributor
Did this page help you?
PREVIOUS
Running Authenticated DAST Scans
NEXT
Adjusting Scan Times
Docs powered by Archbee