full scan

Skip to first unread message

Ahmed Aissa

Jan 22, 2023, 4:37:07 PM1/22/23
to OWASP ZAP Developer Group
hi all , is there any difference between using " zap.sh -cmd -autorun config.yaml " to run full scan with AF and  " zap-full-scan.py -t  target  -r testreport.html -z " -autorun -c config.yaml " , which  performs better  for full scans in ci cd pipelines ? 
Thanks in advance 


Jan 23, 2023, 4:33:10 AM1/23/23
to OWASP ZAP Developer Group
It all depends on what is in config.yaml :)
Its like asking - "What happens if I run foo.sh?" without telling us whats in foo.sh

The zap-full-scan scipt is one of the packaged ones - it runs the ZAP spiders and sctive scanner.
The AF can also run the spiders and active scanner, but can do much more so its much more flexible than the packaged scripts.
We are in the process of migrating the packaged scripts to use the AF under the covers.

If your config.yaml file also runs the spiders and active scanner then what you are doing doesnt really make any sence, you are just doing the same things too many times.
It will take twice as long with no benefit.
But if your config.yaml file does something else then it will all depend on what it does.

I would not recommend using the AF together with the packaged scans - the AF is a super set of the packaged scans, combining them is just asking for trouble.
If you want to do something that is more cpomplex than the things supported by the packages scans then use the AF.


Reply all
Reply to author
0 new messages