Issue with ZAP Scan Ignoring Filter File for ID 40009

109 views
Skip to first unread message

Manmath Kulkarni

unread,
Jun 10, 2026, 7:34:27 AMJun 10
to ZAP User Group

Hi,

We are using ZAP within our Azure DevOps release pipelines. To handle false positives, we have added the relevant entries to the filter file.

`- type: alertFilter

parameters:
deleteGlobalAlerts: true # This grants permission to filter the -1 instance ID
alertFilters:
- ruleId: 40009 # Ensure no quotes
newRisk: "False Positive"`

However, these configurations are not being honored by the ZAP scan, and we still see issue ID 40009 appearing in the scan results.

2026-06-04T08:53:59.5654439Z ##[group]Server Side Include | High (Medium) | [1] 2026-06-04T08:53:59.8223114Z 2026-06-04T08:53:59.8227368Z pluginid : 40009 2026-06-04T08:53:59.8227661Z alertRef : 40009 2026-06-04T08:53:59.8228203Z alert : Server Side Include 2026-06-04T08:53:59.8228499Z name : Server Side Include 2026-06-04T08:53:59.8228792Z riskcode : 3 2026-06-04T08:53:59.8229061Z confidence : 2 2026-06-04T08:53:59.8229347Z riskdesc : High (Medium)

This issue needs to be addressed, as it is impacting the accuracy of our scans by allowing false positives to persist.
Please let me know if any additional information is required.

  1. Add Zap scan task in the pipeline
  2. Ru Zap scan
  3. Check the results

The expected behavior is that issue ID 40009 should not appear in the ZAP scan results, as it has already been excluded via the filter file.

Docker version: Docker 29.2.1
Zap version: zaproxy/zap-stable:latest

Simon Bennetts

unread,
Jun 10, 2026, 7:40:45 AMJun 10
to ZAP User Group
Hiya,

Please include the configuration you are using in a properly formatted way. That is important.
Also, as it looks like you are using the automation framework, where are you defining this job, in relation to the other jobs?

Cheers,

Simon

Manmath Kulkarni

unread,
Jun 11, 2026, 7:00:47 AMJun 11
to ZAP User Group
Hi Simon, 

I am not sure if following is in properly formatted way but I have tried to add as much as info I can.

Following are the instructions we are using to filter ZAP findings on release pipeline. 

Including a filter YAML in a release

A filter file will need to be added to your code repository and added as an artifact. Once this is done, it can be used in a release.

You will need the following information:

  • Build Alias
    This can be obtained by clicking on the artifact on the left of the pipeline view.
  • Name of the artifact in the build that contains the ZAP filter YAML
  • The filter filename

This information will be used to fill in the ZAP task group's CustomFilterPath field. See the example below for a more detailed explanation.

This field should be filled in with the complete download path of your filter file. This will usually be
$(system.artifactsDirectory)/<buildAlias>/<artifact name>/<YAML file name>. We recommend using a pipeline variable for this to aid in maintainability.

For example, this is the path for the sample pipeline below: "$(System.ArtifactsDirectory)/xyz.ZAP.Filter-Demo/zap-filter/filter-example.yaml"


This is the filter yaml file ( filter-example.yaml  ) we are using and the contents are as follows.

typealertFilter
  parameters:
    deleteGlobalAlertstrue      # This grants permission to filter the -1 instance ID
  alertFilters:
    - ruleId40009               # Ensure no quotes
      newRisk"False Positive"

 

Simon Bennetts

unread,
Jun 12, 2026, 4:17:46 AMJun 12
to ZAP User Group
Can you answer my other question: Also, as it looks like you are using the automation framework, where are you defining this job, in relation to the other jobs?
Its a key question :)

Cheers,

Simon

Manmath Kulkarni

unread,
Jun 15, 2026, 8:21:40 AMJun 15
to ZAP User Group
Hi Simon, 


We are defining the job in following way.

```env:
  contexts:
    - name: "staticapp"
      urls:
        - "https://our.site.net/"
jobs:
  - type: alertFilter
    parameters:
      deleteGlobalAlerts: false
    alertFilters:
      - ruleId: 40009
        newRisk: "False Positive"
        methods: [GET]
  # Discover URLs
  - type: spider
    parameters:
      context: "staticapp"
      maxDuration: 20
  # Wait for passive scan to finish
  - type: passiveScan-wait
    parameters:
      maxDuration: 20
  - type: spiderAjax
    parameters:
      context: "staticapp"
      maxDuration: 20
      runOnlyIfModern: true
  # Wait for passive scan to finish
  - type: passiveScan-wait
    parameters:
      maxDuration: 20
  - type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
    parameters:
      maxScanDurationInMins: 30
  # Reports
  - type: report
    parameters:
      template: "traditional-json"
      reportDir: "/zap/wrk"
      reportFile: "zap-scan-report.json"
      reportTitle: "ZAP Automation Report"
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
  - type: report
    parameters:
      template: "traditional-xml"
      reportDir: "/zap/wrk"
      reportFile: "zap-scan-report.xml"
      reportTitle: "ZAP Automation Report"
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
  - type: report
    parameters:
      template: "traditional-html"
      reportDir: "/zap/wrk"
      reportFile: "zap-scan-report.html"
      reportTitle: "ZAP Automation Report"
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
      - falsepositive
```

Simon Bennetts

unread,
Jun 22, 2026, 7:13:00 AMJun 22
to ZAP User Group
OK, I would expect that to work :/
Can you try setting the context for the alert filter?
Not setting it should still work, but there could be a bug there.

You should also try removing the "methods" in case ZAP is reporting the issue on a POST, or anything other than a GET.

Cheers,

Simon

Manmath Kulkarni

unread,
Jun 25, 2026, 10:34:10 AMJun 25
to ZAP User Group
Hi Simon, 

I added following to the filter file.

  deleteGlobalAlerts: false
  alertFilters:
    - ruleId: 40009
      context: "staticapp"
      newRisk: "False Positive"
      methods: [POST]

But this does not exclude the rule 40009 from ZAP scanning.  

026-06-22T18:24:02.4278605Z ‌Name                                                  ‌       Risk Description‌ C‌
2026-06-22T18:24:02.4284580Z ‌                                                      ‌                       ‌ o‌
2026-06-22T18:24:02.4286881Z ‌                                                      ‌                       ‌ u‌
2026-06-22T18:24:02.4287890Z ‌                                                      ‌                       ‌ n‌
2026-06-22T18:24:02.4289109Z ‌                                                      ‌                       ‌ t‌
2026-06-22T18:24:02.4292045Z ‌----                                                  ‌ ‌      ----------------‌ ‌-‌
2026-06-22T18:24:02.4310510Z Server Side Include                                             High (Medium) 1
2026-06-22T18:24:02.4331097Z CSP: script-src unsafe-eval                                     Medium (High) 5
2026-06-22T18:24:02.4354915Z CSP: style-src unsafe-inline                                    Medium (High) 5
2026-06-22T18:24:02.4355253Z CSP: Notices                                                       Low (High) 5
2026-06-22T18:24:02.4355841Z Cookie with SameSite Attribute None                              Low (Medium) 2
2026-06-22T18:24:02.4356170Z Cookie without SameSite Attribute                                Low (Medium) 2
2026-06-22T18:24:02.4356523Z Cross-Origin-Embedder-Policy Header Missing or Invalid           Low (Medium) 5
2026-06-22T18:24:02.4356904Z Permissions Policy Header Not Set                                Low (Medium) 5
2026-06-22T18:24:02.4357252Z Information Disclosure - Suspicious Comments           Informational (Medium) 3
2026-06-22T18:24:02.4357586Z Modern Web Application                                 Informational (Medium) 5
2026-06-22T18:24:02.4357919Z Re-examine Cache-control Directives                       Informational (Low) 5
2026-06-22T18:24:02.4358362Z Session Management Response Identified                 Informational (Medium) 1
2026-06-22T18:24:02.4358698Z Storable and Cacheable Content                         Informational (Medium) 5
2026-06-22T18:24:02.4359038Z Storable but Non-Cacheable Content                     Informational (Medium) 5
2026-06-22T18:24:02.4359348Z User Agent Fuzzer                                      Informational (Medium) 3
2026-06-22T18:24:02.4359466Z 
2026-06-22T18:24:02.4359732Z ##[section]Alert Details By Site (Click to expand)
2026-06-22T18:24:02.4360356Z ===========================================================================
2026-06-22T18:24:02.4360712Z ##[command]AlertDetails for https://msc-web-ngpp-acc.azurewebsites.net
2026-06-22T18:24:02.4361073Z ===========================================================================
2026-06-22T18:24:02.4361588Z ##[group]Server Side Include | High (Medium) | [1]
2026-06-22T18:24:02.6958186Z 
2026-06-22T18:24:02.6958936Z pluginid   : 40009
2026-06-22T18:24:02.6961054Z alertRef   : 40009
2026-06-22T18:24:02.6972924Z alert      : Server Side Include
2026-06-22T18:24:02.7141050Z name       : Server Side Include
2026-06-22T18:24:02.7141701Z riskcode   : 3
2026-06-22T18:24:02.7277265Z confidence : 2
2026-06-22T18:24:02.7277852Z riskdesc   : High (Medium)

Simon Bennetts

unread,
Jun 26, 2026, 7:28:04 AMJun 26
to ZAP User Group
Completely remove the methods parameter.
Previously it only applied to GET. You just changed it to only apply to POST.
If you were getting that alert on both a GET and a POST then you would still get at least one alert in both case.

kingthorin+zap

unread,
Jun 27, 2026, 8:29:18 PMJun 27
to ZAP User Group
Alert filters aren’t meant to prevent rule execution

Manmath Kulkarni

unread,
Jul 1, 2026, 9:31:50 AM (11 days ago) Jul 1
to ZAP User Group

Hi Simon,

we have tried this, with GET, POST, and not also not setting it. Its still not working>

@kingthorin+zap

If Alert filters are not meant to rule execution, then what would be alternative. 

Reply all
Reply to author
Forward
0 new messages