Willa 
Anyone have experience using the ZAP docker images to scan sites? I have a context file I’m feeding the full scan image but it appears to only scan the top level and not recurse. I can see it authenticating and running the checks, but it finds only 12 URLs whereas other scanners find 212. #dast #zaproxy
Apiary@willasaywhat yes, but we use our own orchestration, and don’t use the context thingy at all.
@Apiary How does that work? I’m just trying to give it authentication params via context so it can do an authenticated scan.
@willasaywhat we use bearer tokens, so we just grab those and then set them in the replacer.
I have other sites that I’ve set up with more complex scripting for login, but I’ve never managed to use ZAP’s built in authentication mechanisms, because they haven’t worked for anything we have (although maybe they do now). In all cases I set the authenticated token either with the replacer or the http session value.
I have other sites that I’ve set up with more complex scripting for login, but I’ve never managed to use ZAP’s built in authentication mechanisms, because they haven’t worked for anything we have (although maybe they do now). In all cases I set the authenticated token either with the replacer or the http session value.
@Apiary Ah okay. That honestly would probably be way easier. I just have to sort out why the crawler isn’t working right.
@willasaywhat so we use the HTTP api and just tell to to run each step. I don’t know if that makes a difference. The other thing is sometimes you have to use the ajax spider, and I think it might not work out of the box on the provided image.