What I'm doing is:
Starting ZAP to listen on some port
zap.bat -daemon -host localhost -port 2355 -config api.disablekey=true
Starting new session
curl -X GET "http://localhost:2355/JSON/core/action/newSession/?zapapiformat=JSON&formMethod=GET&name=&overwrite=" -H "cache-control: no-cache"
Through REST service, giving it a context, which includes only one URL pattern
curl -X GET "http://localhost:2355/JSON/context/action/importContext/?zapapiformat=JSON&formMethod=GET&contextFile=some-test-context.context" -H "cache-control: no-cache"
HERE I launch selenium test with browser bind to a proxy:2355
Starting spider
curl -X GET "http://localhost:2355/JSON/spider/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&maxChildren=&recurse=&contextName=some-test-context&subtreeOnly=" -H "cache-control: no-cache"
Starting active scan
curl -X GET "http://localhost:2355/JSON/ascan/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2" -H "cache-control: no-cache"
(2, because there is always id#1 context, Default one)
And in the end I'm getting report
curl -X GET "http://localhost:2355/OTHER/core/other/htmlreport/?formMethod=GET" -H "cache-control: no-cache" -H "content: application/json"
I'm pretty sure the context path is correct and exists (no read error) I'm pretty sure I specified correct name of context and id
Anyway, when I get report, there are scan results NOT only on the URL from the context. But also on production links, 3rd party sites, etc.
Am I expecting smth wrong or forgetting smth?