full scan

[Ahmed Aissa]

hi all , is there any difference between using " zap.sh -cmd -autorun config.yaml " to run full scan with AF and  " zap-full-scan.py -t  target  -r testreport.html -z " -autorun -c config.yaml " , which  performs better  for full scans in ci cd pipelines ? 
Thanks in advance 

[psiinon]

It all depends on what is in config.yaml :)

Its like asking - "What happens if I run foo.sh?" without telling us whats in foo.sh

The zap-full-scan scipt is one of the packaged ones - it runs the ZAP spiders and sctive scanner.

The AF can also run the spiders and active scanner, but can do much more so its much more flexible than the packaged scripts.

We are in the process of migrating the packaged scripts to use the AF under the covers.

If your config.yaml file also runs the spiders and active scanner then what you are doing doesnt really make any sence, you are just doing the same things too many times.

It will take twice as long with no benefit.

But if your config.yaml file does something else then it will all depend on what it does.

I would not recommend using the AF together with the packaged scans - the AF is a super set of the packaged scans, combining them is just asking for trouble.

If you want to do something that is more cpomplex than the things supported by the packages scans then use the AF.

Cheers,

Simon