Hi,
I am running a scan with zap-api-scan.py through docker.
The problem is that it also scans the SPA routes, so I end up with alerts in my API report that I do not want. (A separate baseline scan is running against the SPA).
I am able to provide a context file to the scan, in order to try and include/exclude certain URLs so that a do not get the SPA alerts. The context file is picked up correctly, I can set "incregexes" to "
https://my-site.example.*" and the scan runs fine. If I then set the "incregexes" to "
https://my-site.example/api.*" I get an error of "URL_NOT_IN_CONTEXT". Setting "excregexes" to "^((?!api).)*$", i.e. exclude where not contains "api", gives the same error.
So I assume when I use the incregexes and excregexes, the scan is always trying to start at the root URL, hence throws the error that the URL is not in the context?
Hoping you can provide some other ideas in how I can filter these alerts out please?
Is there a way to get incregexes and excregexes to work how I am trying? Can I create an alert filter that applies to all alerts and exclude the URL there? Is there an alternative?
IMO the best solution is to not even scan other URLs and only hit the ones in the OpenAPI spec, but if that can't be done then I will just have to take a more verbose approach to filtering out the alerts from non-API routes.
Many thanks,
Jack