How to ignore scan rules in ZAP when running in headless mode?

[Dhivya Aiyamperumal]

Hi,

I had been running ZAP in headless mode using
 

"zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config connection.timeoutInSecs=180 -config globalexcludeurl.url_list.url.regex='^((https:\/\/.example\.com\/).*)$' -g ./gen.conf "

The urls are excluded in the final scan report after using globalexcludeurl

Now I need to remove a scan rule.

I created a gen.conf with contents "<rule id> IGNORE" and passed it using -g

But it didnt work. Is this the way or am I missing something?

Regards,

Dhivya

[Simon Bennetts]

Hi Dhivya,

That sort of config file only works with the packaged scans, eg https://www.zaproxy.org/docs/docker/baseline-scan/

You either need to use one of the packaged scans, the Automation Framework or control ZAP via the API.

Cheers,

Simon

[Dhivya Aiyamperumal]

Thanks Simon for your reply. Could you please point out the exact api that would be helpful from https://www.zaproxy.org/docs/api/? 

[Dhivya Aiyamperumal]

Hi Simon, Could you please explain how to exclude scan rule with api?

[kingthorin+owaspzap]

You can just hit up the docs pages: https://www.zaproxy.org/docs/api/ search "policy" in the left nav.

For passive scan rules you can refer to my answer here: https://stackoverflow.com/a/51288461/7718222

[Dhivya Aiyamperumal]

Thanks. It works now

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/671f1c33-ae75-4488-ba8e-f50fb3102581n%40googlegroups.com.