DAST Scan Modes

dast supports different scan modes to scan different types of web applications with different intentions baseline (passive scan) run the zap spider against the specified target for a short period of time the cli doesn't perform any actual ‘attacks’ and will run for a relatively short period of time (a few minutes at most) this mode is intended to be ideal to run in a ci/cd environment, even against production sites full scan (active scan) it runs the zap spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results this means that the script does perform actual ‘attacks’ and can potentially run for a long period of time you should not use it on web applications that you do not own api scan (active scan) tuned for performing scans against apis defined by openapi , soap , or graphql via either a local file or a url