AZ-400 · Question #526
Hotspot Question You have a GitHub repository named Repo1 and an app named App1. Repo1 stores the source code for App1. You need to perform the following tests: Which GitHub action should you use for
The correct answer is Test1:: ZAP Baseline Scan; Test2:: ZAP Full Scan. This question tests knowledge of OWASP ZAP (Zed Attack Proxy) GitHub Actions and their specific use cases for different types of security scanning in a CI/CD pipeline.
Question
Exhibit
Answer Area
- Test1:ZAP Baseline ScanZAP API ScanZAP Baseline ScanZAP Full Scan
- Test2:ZAP Full ScanZAP API ScanZAP Baseline ScanZAP Full Scan
Explanation
This question tests knowledge of OWASP ZAP (Zed Attack Proxy) GitHub Actions and their specific use cases for different types of security scanning in a CI/CD pipeline.
Approach. Test1 requires a passive security scan, which maps to the ZAP Baseline Scan GitHub Action - it crawls the web application passively without attacking it, making it safe for production-like environments and quick CI checks. Test2 requires a more thorough scan that includes AJAX spidering (for JavaScript-heavy single-page applications), which maps to the ZAP Full Scan GitHub Action - it performs active scanning and can be configured to include the AJAX spider to discover content rendered dynamically by JavaScript frameworks. The ZAP Baseline Scan is read-only and non-intrusive, while the ZAP Full Scan actively probes for vulnerabilities and handles modern web app architectures through AJAX spidering.
Concept tested. Understanding of OWASP ZAP GitHub Actions - specifically the distinction between ZAP Baseline Scan (passive, non-intrusive, quick) and ZAP Full Scan (active, comprehensive, supports AJAX spidering for dynamic web applications) - and how to apply them appropriately in a DevSecOps pipeline.
Reference. https://github.com/marketplace/actions/owasp-zap-baseline-scan and https://github.com/marketplace/actions/owasp-zap-full-scan
Topics
Community Discussion
No community discussion yet for this question.
