nerdexam
Microsoft

AZ-400 · Question #526

Hotspot Question You have a GitHub repository named Repo1 and an app named App1. Repo1 stores the source code for App1. You need to perform the following tests: Which GitHub action should you use for

The correct answer is Test1:: ZAP Baseline Scan; Test2:: ZAP Full Scan. This question tests knowledge of OWASP ZAP (Zed Attack Proxy) GitHub Actions and their specific use cases for different types of security scanning in a CI/CD pipeline.

Submitted by jordan8· Mar 6, 2026Design and implement build and release pipelines

Question

Hotspot Question You have a GitHub repository named Repo1 and an app named App1. Repo1 stores the source code for App1. You need to perform the following tests: Which GitHub action should you use for each test? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer: Expplanation: Test1: Use the ZAP Baseline Scan for passive scanning. Test2: Use the ZAP Full Scan, which will inherently include the ability to perform AJAX spidering if configured correctly.

Exhibit

AZ-400 question #526 exhibit

Answer Area

  • Test1:ZAP Baseline Scan
    ZAP API ScanZAP Baseline ScanZAP Full Scan
  • Test2:ZAP Full Scan
    ZAP API ScanZAP Baseline ScanZAP Full Scan

Explanation

This question tests knowledge of OWASP ZAP (Zed Attack Proxy) GitHub Actions and their specific use cases for different types of security scanning in a CI/CD pipeline.

Approach. Test1 requires a passive security scan, which maps to the ZAP Baseline Scan GitHub Action - it crawls the web application passively without attacking it, making it safe for production-like environments and quick CI checks. Test2 requires a more thorough scan that includes AJAX spidering (for JavaScript-heavy single-page applications), which maps to the ZAP Full Scan GitHub Action - it performs active scanning and can be configured to include the AJAX spider to discover content rendered dynamically by JavaScript frameworks. The ZAP Baseline Scan is read-only and non-intrusive, while the ZAP Full Scan actively probes for vulnerabilities and handles modern web app architectures through AJAX spidering.

Concept tested. Understanding of OWASP ZAP GitHub Actions - specifically the distinction between ZAP Baseline Scan (passive, non-intrusive, quick) and ZAP Full Scan (active, comprehensive, supports AJAX spidering for dynamic web applications) - and how to apply them appropriately in a DevSecOps pipeline.

Reference. https://github.com/marketplace/actions/owasp-zap-baseline-scan and https://github.com/marketplace/actions/owasp-zap-full-scan

Topics

#GitHub Actions#security testing#OWASP ZAP#DAST#SAST

Community Discussion

No community discussion yet for this question.

Full AZ-400 Practice