Users who want to filter the rules used during DAST scans can use the --disableRules parameter to identify specific rule IDs to omit from Fullscan and baseline scan modes.  

The full list of rules included in DAST scans with their corresponding IDs can be seen here on the ZAP site.  Rules listed as 'active' are called during Fullscan scanMode, those listed as 'passive' take place in baseline scanMode.


--scanMode="fullscan" --disableRules="10021, 10096, 40025"


The timeout limit for SOOS DAST scans is 3 hours.  Any scans that do not complete within that time will return an 'incomplete' status.  Fullscan mode may exceed this time limit due to the more complex nature of this scan mode.  It is recommended to use the --disableRules parameter to omit any rules that are not necessary, for example any rules that do not match the technology being used.

Note: Vulnerabilities identified during unfiltered scans will be moved to the 'Resolved' issues list if subsequent scans use --disableRules to omit the rule associated with any previously discovered vulnerability.