I'm trying to set configs when I start zap.sh as described here.
docker run -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.key=0123456789 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config scanner.strength=INSANE -config scanner.threshold=HIGH -config context.excregexes='^(?:(?!https?:\/\/example\.com).*).$'
But when I start a scan pointed at say google.com. It shows this in the logs
16818 [Thread-10] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://google.com | TestPathTraversal strength MEDIUM threshold MEDIUM
which suggests that the scanner strength and threshold changes are being ignored along with my exclude regex of anything not on example.com. What am I doing wrong?
Note: Using owasp/zap2docker-stable, trying to run with a slightly modified version of this.
First you seem to have tried to set Strength twice. Also setting the default would only matter if the scanners were set to use the default.
Second you should try setting/perfecting the regexs via the gui until you're sure it is correct.