Zap Docker Policy

[Eric]

So correct me if this is the wrong way of going about this, but I've been trying to use a custom scan policy in order to reduce the scan time of zap2docker full scans by stripping away rules I don't need, such as External Redirect.

First I'm putting my policy into the container like so:
docker create --name owasp -t owasp/zap2docker-live
docker start owasp
docker cp 'policy/ScanPolicy.policy' owasp:/home/zap/.ZAP_D/policies/

Then I'm running the container with this:

docker exec owasp zap-full-scan.py -I -t [target] -d -r zap_report.html
-z "-config scanner.defaultPolicy=ScanPolicy.policy\"

As you can see, I'm explicitly telling zap to use my custom policy, but when it comes time to scan I'm getting: 
Active Scan [target] with policy Default Policy

What am I misunderstanding here?

Thanks!

[thc...@gmail.com]

Hi.

The packaged scans use their own policy based on the provided configuration:
https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file

Best regards.

On 15/12/2021 00:56, Eric wrote:
> So correct me if this is the wrong way of going about this, but I've been
> trying to use a custom scan policy in order to reduce the scan time of
> zap2docker full scans by stripping away rules I don't need, such as
> External Redirect.
>
> First I'm putting my policy into the container like so:
> docker create --name owasp -t owasp/zap2docker-live
> docker start owasp

> docker cp 'policy/*ScanPolicy.policy*' owasp:/home/zap/.ZAP_D/policies/

>
> Then I'm running the container with this:
> docker exec owasp zap-full-scan.py -I -t [target] -d -r zap_report.html

> -z "-config scanner.defaultPolicy=*ScanPolicy.policy*\"

>
> As you can see, I'm explicitly telling zap to use my custom policy, but
> when it comes time to scan I'm getting:

> Active Scan [target] with policy *Default Policy*

[Eric]

Ahh of course. Thanks so much!