Active scan vs active scan policy

[Joan]

Hi,

In the ZAP Automation Framework, I see that both the activeScan and activeScan-policy jobs allow setting scan policy options like defaults  rules, thresholds, and  strength .

Can you explain the actual difference between these two job types? when to use each job

Thanks in advance!

[Simon Bennetts]

Hi Joan,

Good question :)

The activeScan-policy job allows you to configure an active scan policy. It does not actually do any scanning.

The activeScan job performs the active scan. It allows you to either use a build in policy, a policy thats been created by the activeScan-policy job, or one thats specified "inline".

We also have a sequence-activeScan job which allows you to active scan sequences.

If you want to perform any active scanning then you have to use either the activeScan job or the sequence-activeScan job.

You do not need to use the activeScan-policy job, but you may find it useful, especially if you want to use the same policy for both jobs.

Does that make sense?

Cheers,

Simon