When starting a scan with docker run -t owasp/zap2docker-stable zap-baseline.py -t https://10.1.2.3/zapwave the spider will follow back to the root URL https://10.1.2.3 and continue to scan out of scope items. eg /ghost, /mono, /webgoat
Is it possible to limit the scan scope to just the specified directory or below? The web application in this example is OWASP DWVA.
You haven't passed it a context file from which it would constraint to scope.
The baseline scan documentation is here: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
In particular you probably care about:
-n context_file context file which will be loaded prior to spidering the target
You should probably also have a look at: https://blog.mozilla.org/security/2017/01/25/setting-a-baseline-for-web-security-controls/
Also it's probably easiest to configure, test, and export the context from the GUI before trying to use it with automation.
