DAST Scan Modes

dast supports different scan modes to scan different types of web applications with different intentions baseline (passive scan) run the https //www zaproxy org/docs/docker/about/ spider against the specified target for a short period of time the cli doesn't perform any actual ‘attacks’ and will run for a relatively short period of time (a few minutes at most) this mode is intended to be ideal to run in a ci/cd environment, even against production sites full scan (active scan) it runs the https //www zaproxy org/docs/docker/about/ spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results this means that the script does perform actual ‘attacks’ and can potentially run for a long period of time you should not use it on web applications that you do not own api scan (active scan) tuned for performing scans against apis defined by openapi , soap , or graphql via either a local file or a url