Excluding URLs From Being Scanned

in some situations specific urls need to be excluded from dast scans this can include areas of the application which are out of scope, such as documentation endpoints, or in larger applications this may be necessary because the dast scans need to be segmented by specific application areas for example testing the main site vs an admin sub section of the site the excludeurlsfile parameter can be used to point to a text file containing a single url per line to exclude the urls may be exact matches , simple wildcard matches , or basic regex example file https //my site com/blog https //my site com/about/ ^https //my site com/wp content/ +$ pass the excludeurlsfile=\<exclude urls file> txt parameter and ensure that the file exists in the mapped local directory ( c \local path in this case) soos recommends running as the zap user (1000 1000) but this user will need rwx access to the mount in the example below if you can't do that, you may run without the u parameter and have the container run as root but this is not recommended unless absolutely necessary chmod r 777 /tmp/rules docker run u zap v /tmp/rules\ /zap/wrk/\ rw it rm soosio/dast clientid=\<soos client id> apikey="\<soos apikey>" projectname="\<project name>" excludeurlsfile=exclude urls txt scanmode=baseline https //url to test