zap-api-scan.py: How to limit the time / recursion / depth?

Question

I have a command for zap-api-scan.py, but unlike zap-full-scan.py, there seems to be no way to limit these.

via OWASP's official docker image:

docker run -v $(pwd):/zap/wrk/:rw \
    -t owasp/zap2docker-stable zap-api-scan.py \
    -t http://my-tld/api/graphql 
    -f graphql --schema schema.graphql

via ICTU's docker iamge:

docker run --rm -v $(pwd):/zap/wrk/:rw \
-t ictu/zap2docker-weekly zap-api-scan.py \
-t https://myapp.tld.com/api/graphql -f graphql \
-r testreport.html --hook=/zap/auth_hook.py --schema schema.graphql \
-z "auth.bearer_token=myapikey" \
-d -I

Do I have any options, whether it be through owasp/zap2docker-stable or ictu/zap2docker-weekly or through

Are there any config variables I can pass to zap-api-scan.py to limit the depth or run duration?

Note: This is for the zap-api-scan.py CLI script only.

Answer 1

In case you are talking about the recursion depth of the GraphQL query generation process, you can make use of ZAP config options, like:

-z "-config graphql.maxQueryDepth=2 -config graphql.maxArgsDepth=2"

The default depth is 5 for both these options, so any value less than that should speed up the scan (at the cost of fewer queries generated and sent).

For more information about the flags, see https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/ .

Answer 2

-T max time in minutes to wait for ZAP to start and the passive scan to run

Per:

• https://www.zaproxy.org/docs/docker/api-scan/
• https://www.zaproxy.org/docs/docker/full-scan/
• Or using the -h switch to print the CLI help.