Demo DAST Ignore Rules

1. Identify the Unexpected-Content-Type Warning
2. Generate and Customize the ZAP Rule Configuration
3. Update Your Jenkins Pipeline
4. (Optional) Front-End Cosmetic Change for Demo
5. Commit, Merge, and Sync with Argo CD
6. Troubleshoot Token-Parsing Errors
7. Verify Final DAST Results
Summary & Next Steps
Links and References

In this walkthrough, we’ll adapt our Dynamic Application Security Testing (DAST) with OWASP ZAP to ignore a specific warning—“Unexpected Content-Type”—so that the Jenkins build can proceed uninterrupted.

1. Identify the Unexpected-Content-Type Warning

Run the standard ZAP API scan:

chmod 777 "$(pwd)"
docker run -v "$(pwd)":/zap/wrk/:rw ghcr.io/zaproxy/zap-api-scan.py \
  -t http://134.209.155.222:30000/api-docs/ \
  -f openapi \
  -r zap_report.html \
  -w zap_report.md \
  -J zap_json_report.json \
  -x zap_xml_report.xml

You’ll see:

WARN: NEW: Unexpected Content-Type was returned [100001]

Normally this requires a code fix, but for demo purposes we’ll instruct ZAP to ignore this rule.

2. Generate and Customize the ZAP Rule Configuration

ZAP supports three levels for each rule:

Level	Behavior
FAIL	Treat as error and exit non-zero
WARN	Report warning but continue (default)
IGNORE	Skip reporting the rule entirely

Generate the default config:

docker run --rm ghcr.io/zaproxy/zap-api-scan.py -g zap_default.conf

Open zap_default.conf—you’ll see lines like:

0       WARN (Directory Browsing - Active/release)
10019   WARN (Content-Type Header Missing - Passive/release)
...

Modify or add the entry for rule 100001 with single tabs:

100001<TAB>IGNORE<TAB>http://134.209.155.222:30000/api-docs/

Save this as zap_ignore_rules.

Be sure to use single tab separators. Mixing spaces or multiple tabs will cause parsing errors.

3. Update Your Jenkins Pipeline

In your Jenkinsfile, add the -c zap_ignore_rules flag to the DAST stage:

stage('DAST - OWASP ZAP') {
    when { branch 'PR*' }
    steps {
        sh '''
        chmod 777 "$(pwd)"
        docker run -v "$(pwd)":/zap/wrk/:rw ghcr.io/zaproxy/zap-api-scan.py \
          -t http://134.209.155.222:30000/api-docs/ \
          -f openapi \
          -r zap_report.html \
          -w zap_report.md \
          -J zap_json_report.json \
          -x zap_xml_report.xml \
          -c zap_ignore_rules
        '''
    }
    post {
        always {
            publishHTML(
                allowMissing: true,
                alwaysLinkToLastBuild: true,
                keepAll: true,
                reportDir: './',
                reportFiles: 'zap_report.html',
                reportName: 'DAST - OWASP ZAP Report'
            )
        }
    }
}

4. (Optional) Front-End Cosmetic Change for Demo

Add extra rockets in index.html to visualize a change in your application:

<body>
  <div>
    <a href="index.html">
      <button style="font-size:40px;">
        <i class="fa fa-rocket"></i> SOLAR <i class="fa fa-rocket"></i> SYSTEM
      </button>
    </a>
  </div>
</body>

5. Commit, Merge, and Sync with Argo CD

Commit your changes and open a Pull Request.
After merge, confirm in Jenkins:

The image shows a Jenkins pipeline interface for a project named "solar-system" under "Gitea-Organization," displaying various stages of a CI/CD process, including unit testing, code coverage, and deployment steps. It also includes a prompt asking if the pull request is merged and ArgoCD is synced, with options to confirm or abort.

In Argo CD, sync the solar-system application:

The image shows the Argo CD dashboard displaying two applications: "bitnami-sealed-secrets" and "solar-system-argo-app," with their respective statuses and details. The interface includes options to sync, refresh, or delete the applications.

Once synced, inspect the updated replica set and pods:

The image shows an Argo CD application dashboard with a visual representation of a deployment pipeline, indicating the sync status and health of various components in a Kubernetes environment.

6. Troubleshoot Token-Parsing Errors

If you see:

Failed to load config file zap_ignore_rules: Unexpected number of tokens on line - there should be at least 3, tab separated: 100001 IGNORE

Then your zap_ignore_rules likely has spaces instead of tabs.

Open the file in an editor and ensure exactly one <TAB> between each field:

vi zap_ignore_rules
# Should read:
100001<TAB>IGNORE<TAB>http://134.209.155.222:30000/api-docs/

Recommit and rerun the pipeline.

7. Verify Final DAST Results

A successful DAST stage shows:

PASS: ...
IGNORE-NEW: Unexpected Content-Type was returned [100001] x 83
FAIL-NEW: 0 WARN: 0 INFO: 0 IGNORE: 1 PASS: 112

Open the HTML report to confirm the ignored rule no longer blocks your build:

The image shows a ZAP Scanning Report detailing security alerts for various websites, with a summary indicating low and informational risk levels.

Summary & Next Steps

In this lesson, we:

Ran OWASP ZAP DAST against our API
Generated and customized an ignore-rules file
Updated our Jenkins pipeline to use -c zap_ignore_rules
Published the HTML report in Jenkins
Synced changes via Argo CD
Troubleshot tab-delimited config errors

Next, we’ll explore integrating serverless deployments with AWS Lambda.

Links and References

Watch Video

Practice Lab

Demo DAST and Manual Input

Demo Publish Reports to AWS S3

Introduction and Basics

Jenkins Setup and Interface

Extending Jenkins and Administration

Jenkins Pipelines

Automation and Security

Setting up CI Pipeline

Code Quality and Testing

Containerization and Deployment

Kubernetes and GitOps

AWS Lambda and Advanced Deployment Techniques

Jenkins Administration and Monitoring - Part 1

Shared Libraries in Jenkins

Agents and Nodes in Jenkins

Pipeline Enhancement and Caching

Pipeline Structure and Scripted vs Declarative

Jenkins Administration and Monitoring - Part 2

Backup and Configuration Management

Demo DAST Ignore Rules

1. Identify the Unexpected-Content-Type Warning

2. Generate and Customize the ZAP Rule Configuration

3. Update Your Jenkins Pipeline

4. (Optional) Front-End Cosmetic Change for Demo

5. Commit, Merge, and Sync with Argo CD

6. Troubleshoot Token-Parsing Errors

7. Verify Final DAST Results

Summary & Next Steps

Links and References

Watch Video

Practice Lab

Introduction and Basics

Jenkins Setup and Interface

Extending Jenkins and Administration

Jenkins Pipelines

Automation and Security

Setting up CI Pipeline

Code Quality and Testing

Containerization and Deployment

Kubernetes and GitOps

AWS Lambda and Advanced Deployment Techniques

Jenkins Administration and Monitoring - Part 1

Shared Libraries in Jenkins

Agents and Nodes in Jenkins

Pipeline Enhancement and Caching

Pipeline Structure and Scripted vs Declarative

Jenkins Administration and Monitoring - Part 2

Backup and Configuration Management

Documentation Index

​1. Identify the Unexpected-Content-Type Warning

​2. Generate and Customize the ZAP Rule Configuration

​3. Update Your Jenkins Pipeline

​4. (Optional) Front-End Cosmetic Change for Demo

​5. Commit, Merge, and Sync with Argo CD

​6. Troubleshoot Token-Parsing Errors

​7. Verify Final DAST Results

​Summary & Next Steps

​Links and References

Watch Video

Practice Lab

1. Identify the Unexpected-Content-Type Warning

2. Generate and Customize the ZAP Rule Configuration

3. Update Your Jenkins Pipeline

4. (Optional) Front-End Cosmetic Change for Demo

5. Commit, Merge, and Sync with Argo CD

6. Troubleshoot Token-Parsing Errors

7. Verify Final DAST Results

Summary & Next Steps

Links and References