Issue with ZAP Scan Ignoring Filter File for ID 40009

42 views
Skip to first unread message

Manmath Kulkarni

unread,
Jun 10, 2026, 7:34:27 AM (12 days ago) Jun 10
to ZAP User Group

Hi,

We are using ZAP within our Azure DevOps release pipelines. To handle false positives, we have added the relevant entries to the filter file.

`- type: alertFilter

parameters:
deleteGlobalAlerts: true # This grants permission to filter the -1 instance ID
alertFilters:
- ruleId: 40009 # Ensure no quotes
newRisk: "False Positive"`

However, these configurations are not being honored by the ZAP scan, and we still see issue ID 40009 appearing in the scan results.

2026-06-04T08:53:59.5654439Z ##[group]Server Side Include | High (Medium) | [1] 2026-06-04T08:53:59.8223114Z 2026-06-04T08:53:59.8227368Z pluginid : 40009 2026-06-04T08:53:59.8227661Z alertRef : 40009 2026-06-04T08:53:59.8228203Z alert : Server Side Include 2026-06-04T08:53:59.8228499Z name : Server Side Include 2026-06-04T08:53:59.8228792Z riskcode : 3 2026-06-04T08:53:59.8229061Z confidence : 2 2026-06-04T08:53:59.8229347Z riskdesc : High (Medium)

This issue needs to be addressed, as it is impacting the accuracy of our scans by allowing false positives to persist.
Please let me know if any additional information is required.

  1. Add Zap scan task in the pipeline
  2. Ru Zap scan
  3. Check the results

The expected behavior is that issue ID 40009 should not appear in the ZAP scan results, as it has already been excluded via the filter file.

Docker version: Docker 29.2.1
Zap version: zaproxy/zap-stable:latest

Simon Bennetts

unread,
Jun 10, 2026, 7:40:45 AM (12 days ago) Jun 10
to ZAP User Group
Hiya,

Please include the configuration you are using in a properly formatted way. That is important.
Also, as it looks like you are using the automation framework, where are you defining this job, in relation to the other jobs?

Cheers,

Simon

Manmath Kulkarni

unread,
Jun 11, 2026, 7:00:47 AM (11 days ago) Jun 11
to ZAP User Group
Hi Simon, 

I am not sure if following is in properly formatted way but I have tried to add as much as info I can.

Following are the instructions we are using to filter ZAP findings on release pipeline. 

Including a filter YAML in a release

A filter file will need to be added to your code repository and added as an artifact. Once this is done, it can be used in a release.

You will need the following information:

  • Build Alias
    This can be obtained by clicking on the artifact on the left of the pipeline view.
  • Name of the artifact in the build that contains the ZAP filter YAML
  • The filter filename

This information will be used to fill in the ZAP task group's CustomFilterPath field. See the example below for a more detailed explanation.

This field should be filled in with the complete download path of your filter file. This will usually be
$(system.artifactsDirectory)/<buildAlias>/<artifact name>/<YAML file name>. We recommend using a pipeline variable for this to aid in maintainability.

For example, this is the path for the sample pipeline below: "$(System.ArtifactsDirectory)/xyz.ZAP.Filter-Demo/zap-filter/filter-example.yaml"


This is the filter yaml file ( filter-example.yaml  ) we are using and the contents are as follows.

typealertFilter
  parameters:
    deleteGlobalAlertstrue      # This grants permission to filter the -1 instance ID
  alertFilters:
    - ruleId40009               # Ensure no quotes
      newRisk"False Positive"

 

Simon Bennetts

unread,
Jun 12, 2026, 4:17:46 AM (10 days ago) Jun 12
to ZAP User Group
Can you answer my other question: Also, as it looks like you are using the automation framework, where are you defining this job, in relation to the other jobs?
Its a key question :)

Cheers,

Simon

Manmath Kulkarni

unread,
Jun 15, 2026, 8:21:40 AM (7 days ago) Jun 15
to ZAP User Group
Hi Simon, 


We are defining the job in following way.

```env:
  contexts:
    - name: "staticapp"
      urls:
        - "https://our.site.net/"
jobs:
  - type: alertFilter
    parameters:
      deleteGlobalAlerts: false
    alertFilters:
      - ruleId: 40009
        newRisk: "False Positive"
        methods: [GET]
  # Discover URLs
  - type: spider
    parameters:
      context: "staticapp"
      maxDuration: 20
  # Wait for passive scan to finish
  - type: passiveScan-wait
    parameters:
      maxDuration: 20
  - type: spiderAjax
    parameters:
      context: "staticapp"
      maxDuration: 20
      runOnlyIfModern: true
  # Wait for passive scan to finish
  - type: passiveScan-wait
    parameters:
      maxDuration: 20
  - type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
    parameters:
      maxScanDurationInMins: 30
  # Reports
  - type: report
    parameters:
      template: "traditional-json"
      reportDir: "/zap/wrk"
      reportFile: "zap-scan-report.json"
      reportTitle: "ZAP Automation Report"
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
  - type: report
    parameters:
      template: "traditional-xml"
      reportDir: "/zap/wrk"
      reportFile: "zap-scan-report.xml"
      reportTitle: "ZAP Automation Report"
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
  - type: report
    parameters:
      template: "traditional-html"
      reportDir: "/zap/wrk"
      reportFile: "zap-scan-report.html"
      reportTitle: "ZAP Automation Report"
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
      - falsepositive
```

Reply all
Reply to author
Forward
0 new messages