The .zap directory contains the security rules and configurations used by the Dynamic Application Security Testing (DAST) workflows, specifically tailored for the ZAP (Zed Attack Proxy) scanner.

Purpose

It holds custom rule overrides to ignore certain alerts or findings that are either false positives or accepted risks for the project.
This helps reduce noise in security reports and focus attention on relevant vulnerabilities.
Ensures that automated DAST scans produce actionable and meaningful results without excessive false alarms

`rules.tsv` File

The rules.tsv file is a tab-separated values file defining which security alerts should be ignored by the ZAP scanner during DAST analysis.

Format

ID	Action	Reason
10020	IGNORE	Content Security Policy (CSP) Header Not Set

ID: Numeric identifier of the ZAP alert.
Action: The action to take on the alert (e.g., IGNORE).
Reason: Explanation or justification for ignoring the alert.

Sample Entries

ID	Action	Reason
10020	IGNORE	Content Security Policy (CSP) Header Not Set
10021	IGNORE	X-Content-Type-Options Header Missing
90033	IGNORE	Web Browser XSS Protection Not Enabled
10036	IGNORE	Server Leaks Version Information via Header

These rules explicitly ignore common or expected warnings such as missing security headers or informational disclosures that have been reviewed and accepted.

Usage

The .zap/rules.tsv file is referenced by the DAST workflows during automated scans.

Purpose

rules.tsv File

Format

Sample Entries

Usage

`rules.tsv` File