DAST Scanning

Filtering DAST Scan Rules

1min

Specific DAST rules can be excluded by using the --disableRules parameter to specify the rule IDs to omit.

The full list of rules included in DAST scans with their corresponding IDs can be found on the ZAP site. Rules listed as 'active' are run for Full and API scans, those listed as 'passive' are run for Baseline scans.

Example:

--scanMode="fullscan" --disableRules="10021, 10096, 40025"

The maximum timeout for SOOS DAST scans is 3 hours. Any scans that do not complete within that time will return an 'incomplete' status. Depending on the size of the site being scanned, full scans may exceed this time limit due to the complexity of the rules being run. It is recommended to use the --disableRules parameter to omit any rules that are not necessary, for example any rules that do not match the technology being used.

Vulnerabilities identified during unfiltered scans will be moved to the 'Resolved' issues list if subsequent scans use --disableRules to omit the rule associated with any previously discovered vulnerability.



Updated 25 Feb 2025
Doc contributor
Did this page help you?
PREVIOUS
DAST Scan Modes
NEXT
Running Authenticated DAST Scans
Docs powered by Archbee