Difference between API and API-Minimal scan policy for Docker Scans
18 views
Skip to first unread message
Nitish Patel
Apr 27, 2026, 3:01:17 AM (10 days ago) Apr 27
to ZAP User Group
Hi ZAP Team,
Thankyou for making this great product which is also Open Source. You are doing this world a favour.
I have been using zap scans to secure some APIs and had a question while I was digging a bit in the docker scans and Zap Desktop. On Zap Desktop, there a Policy called API and during Docker Scan, the policy it uses by default called API-Minimal.
Now by instinct, API seems more broad than API-Minimal, but I didn't find that to be true. Here are the differences between them.
Now to be more through and accurte, I am planning to make a superset of these two so it would become:
64 plugins enabled (vs. 23 in API-Minimal, 22 in API)
Thankyou for making this great product which is also Open Source. You are doing this world a favour.
I have been using zap scans to secure some APIs and had a question while I was digging a bit in the docker scans and Zap Desktop. On Zap Desktop, there a Policy called API and during Docker Scan, the policy it uses by default called API-Minimal.
Now by instinct, API seems more broad than API-Minimal, but I didn't find that to be true. Here are the differences between them.
Enabled in BOTH (20):
p0 Directory Browsing
p7 Remote File Inclusion
p20019 External Redirect
p30001 Buffer Overflow
p30002 Format String Error
p40003 CRLF Injection
p40008 Parameter Tampering
p40009 Server Side Include
p40018 SQL Injection
p40042 Spring Actuator Information Leak
p90017 XSLT Injection
p90019 Server Side Code Injection
p90020 Remote OS Command Injection
p90021 XPath Injection
p90023 XML External Entity Attack
p90026 SOAP Action Spoofing
p90029 SOAP XML Injection
p90034 Cloud Metadata Potentially Exposed
p90035 Server Side Template Injection
p90036 Server Side Template Injection (Blind)
Enabled ONLY in API-Minimal (3): p30003 Integer Overflow Error
p40044 Exponential Entity Expansion (Billion Laughs Attack)
p90025 Expression Language Injection
Enabled ONLY in API (2):
p50000 Script Active Scan Rules
p90037 Remote OS Command Injection (Time Based)
Differences (minimal | full):
p6 - | off Path Traversal
p10045 - | off Source Code Disclosure - /WEB-INF Folder
p10058 - | off GET for POST
p10104 - | off User Agent Fuzzer
p20015 - | off Heartbleed OpenSSL Vulnerability
p20017 - | off Source Code Disclosure - CVE-2012-1823
p20018 - | off Remote Code Execution - CVE-2012-1823
p30003 on | - Integer Overflow Error
p40012 - | off Cross Site Scripting (Reflected)
p40014 - | off Cross Site Scripting (Persistent)
p40016 - | off Cross Site Scripting (Persistent) - Prime
p40017 - | off Cross Site Scripting (Persistent) - Spider
p40019 - | off SQL Injection - MySQL (Time Based)
p40020 - | off SQL Injection - Hypersonic SQL (Time Based)
p40021 - | off SQL Injection - Oracle (Time Based)
p40022 - | off SQL Injection - PostgreSQL (Time Based)
p40024 - | off SQL Injection - SQLite (Time Based)
p40026 - | off Cross Site Scripting (DOM Based)
p40027 - | off SQL Injection - MsSQL (Time Based)
p40028 - | off ELMAH Information Leak
p40029 - | off Trace.axd Information Leak
p40032 - | off .htaccess Information Leak
p40034 - | off .env Information Leak
p40035 - | off Hidden File Found
p40043 - | off Log4Shell
p40044 on | - Exponential Entity Expansion (Billion Laughs Attack)
p40045 - | off Spring4Shell
p50000 - | on Script Active Scan Rules
p90024 - | off Generic Padding Oracle
p90025 on | - Expression Language Injection
p90037 - | on Remote OS Command Injection (Time Based)
Now to be more through and accurte, I am planning to make a superset of these two so it would become:
64 plugins enabled (vs. 23 in API-Minimal, 22 in API)
But this means I am more prone to detect False positives too. I would love to get a feedback on this as should I do this or not.
Thankyou for your time and really appreciate the efforts everyone puts in this community.
Nitish Patel
Thankyou for your time and really appreciate the efforts everyone puts in this community.
Nitish Patel
Reply all
Reply to author
Forward
0 new messages