what rules exactly do openapi scanning use?

[Brian Ma]

hi! i am running zap scans on my api for basic security testing. my question specifically is about the OpenAPI Support add-on, which i've been using. what rules/cases are run against imported OpenAPI definitions?

i know that the passive rules are used at least (https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/), but am not sure if the active rules are used (https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/) and was hoping to get an answer to that. basically: does the openapi add-on use active or any other rules besides passive against imported definitions?

thanks in advance!

[Simon Bennetts]

The OpenAPI add-on does not run any scan rules, thats not its purpose.

Its purpose is to read an open API definition and to add that to the Sites Tree - thats ZAP's internal map of an application.

ZAP will run any passive scan rules you have installed and enabled against it as it is imported.

ZAP will run active scan rules against it only if and when you run the active scanner.

We deliberately split exploring and app from attacking it to give you more control and flexibility.

Cheers,

Simon