|
| 1 | +--- |
| 2 | +title: "Configuring Scan Policies with Alert Tags" |
| 3 | +summary: "A new feature in ZAP's automation framework allows you to configure scan policies using alert tags, making it easier to target specific types of vulnerabilities without manually managing individual scan rules." |
| 4 | +images: |
| 5 | +- https://www.zaproxy.org/blog/2025-08-15-configuring-scan-policies-with-alert-tags/images/policy-tags.png |
| 6 | +type: post |
| 7 | +tags: |
| 8 | + - blog |
| 9 | + - update |
| 10 | + - automation |
| 11 | + - scanrules |
| 12 | + - policies |
| 13 | +date: "2025-08-15" |
| 14 | +authors: |
| 15 | + - akshath |
| 16 | +--- |
| 17 | + |
| 18 | +ZAP's automation framework is getting a powerful new feature that will make configuring scan policies much more intuitive and maintainable. |
| 19 | +In addition to manually specifying individual scan rule IDs, you can now configure policies using alert tags to target specific categories of vulnerabilities. |
| 20 | + |
| 21 | +## What are Alert Tags? |
| 22 | + |
| 23 | +Alert tags are metadata associated with ZAP's scan rules that categorize them by various characteristics. |
| 24 | +For example, rules might be tagged with `OWASP_2021_A01`, `PCI_DSS`, or `TEST_TIMING`. |
| 25 | + |
| 26 | +A full list of alert tags on the default scan rules is available [here](/alerttags/). |
| 27 | +It's also very easy to add custom alert tags to your own scan rules (e.g. via [scan rule script metadata](/blog/2024-07-17-script-scan-rules/)). |
| 28 | + |
| 29 | +## Scan Policies |
| 30 | + |
| 31 | +The new feature adds an `alertTags` section to policy definitions in both `activeScan` and `activeScan-policy` jobs. This allows you to: |
| 32 | + |
| 33 | +- **Include rules by tags**: Specify patterns to include scan rules that match certain alert tags |
| 34 | +- **Exclude rules by tags**: Exclude specific rules from your included set |
| 35 | +- **Set strength and threshold**: Configure attack strength and alert threshold for the matched rules, overriding the default policy settings |
| 36 | +- **Use regex patterns**: Support for regular expressions in tag matching for flexible rule selection |
| 37 | + |
| 38 | +## Configuration Example |
| 39 | + |
| 40 | +Here's how you can configure a scan policy using alert tags: |
| 41 | + |
| 42 | +```yaml |
| 43 | +jobs: |
| 44 | + - type: activeScan-policy |
| 45 | + parameters: |
| 46 | + name: all non-timing OWASP top 10 rules |
| 47 | + policyDefinition: |
| 48 | + defaultStrength: medium |
| 49 | + defaultThreshold: "off" # Disable all rules by default |
| 50 | + alertTags: |
| 51 | + include: |
| 52 | + - "OWASP_.*" # All OWASP Top 10 Rules |
| 53 | + exclude: |
| 54 | + - "TEST_TIMING" # Exclude timing related rules |
| 55 | + strength: high |
| 56 | + threshold: low |
| 57 | + rules: |
| 58 | + # You can still specify individual rules alongside alert tags, and these take precedence |
| 59 | + - id: 40012 |
| 60 | + name: "Cross Site Scripting (Reflected)" |
| 61 | + strength: medium |
| 62 | + threshold: "off" |
| 63 | +``` |
| 64 | +
|
| 65 | +## How It Works |
| 66 | +
|
| 67 | +When ZAP processes the policy definition: |
| 68 | +
|
| 69 | +1. **Default behavior**: All rules start with the default strength and threshold settings |
| 70 | +2. **Alert tag processing**: Rules matching the `include` patterns are enabled with the specified alert tag strength and threshold |
| 71 | +3. **Exclusion filtering**: Rules matching any `exclude` pattern are removed from the included set |
| 72 | +4. **Individual rule overrides**: Explicitly listed rules under the `rules` section take precedence over alert tag settings |
| 73 | + |
| 74 | +This hierarchy ensures that you have full control while benefiting from the convenience of tag-based selection. |
| 75 | + |
| 76 | +## GUI Support |
| 77 | + |
| 78 | +The feature also includes GUI support with a new "Policy Alert Tags" tab in the Active Scan dialogs. This provides: |
| 79 | + |
| 80 | +- Visual interface for managing included and excluded tag patterns |
| 81 | +- Dropdown lists populated with available alert tags from active scan rules |
| 82 | +- Validation of regular expression patterns |
| 83 | +- Easy addition and removal of tag patterns |
| 84 | + |
| 85 | + |
| 86 | + |
| 87 | +## Availability |
| 88 | + |
| 89 | +This feature is currently available in the development branch and will be included in an upcoming automation add-on release. You can try it out by building from the latest source code or using the weekly development builds. |
| 90 | + |
| 91 | +The feature enhances ZAP's automation capabilities while maintaining backward compatibility with existing policy configurations. Your current `rules` sections will continue to work exactly as before. |
| 92 | + |
| 93 | +If you have any thoughts, comments, or questions about this feature, [get in touch](/community/). |
0 commit comments