Disable BETA rules for OWASP ZAP scan

101 views
Skip to first unread message

Elv drb

unread,
Aug 25, 2022, 5:19:11 AM8/25/22
to OWASP ZAP User Group
Hello,

I want to deactivate the BETA rules of my OWASP ZAP scan.
Indeed they pollute the final result.
I can't find a parameter as it exists for Alpha rules.

Do you have any idea how to proceed?

Sincerely

Simon Bennetts

unread,
Aug 25, 2022, 5:23:54 AM8/25/22
to OWASP ZAP User Group
Hiya,

How are you running ZAP?
Using the desktop, the packaged scans, the Automation Framework or the daemon + API? :)
And are you referring to the active rules, the passive ones or both?

Cheers,

Simon

Elv drb

unread,
Aug 25, 2022, 5:36:19 AM8/25/22
to OWASP ZAP User Group
We launch ZAP via a CI/CD schedule.
See the command below:

- zap-full-scan.py -t https://examplexxx.com -d -r xxx.html -I -z "-config connection.proxyChain.enabled=true -config connection.proxyChain.hostName=xxx' -config connection.proxyChain.port=xxx -config connection.defaultUserAgent=xxx"

I refer to all BETA rules, active and passive.
I want to use only released rules.

Regards,
Elv

Simon Bennetts

unread,
Aug 25, 2022, 5:43:57 AM8/25/22
to OWASP ZAP User Group
Hi Elv,

That option is not "officially" supported for the packaged scans :)
You could try uninstalling them via the ZAP "-addonuninstall" commandline option: https://www.zaproxy.org/docs/desktop/cmdline/
For a cleaner solution, and one that will be more flexible going forwards, you can use the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/

Cheers,

Simon
Reply all
Reply to author
Forward
Message has been deleted
0 new messages