diff --git a/scripts/zap-baseline.sh b/scripts/zap-baseline.sh
index e9391c9..9efcdc8 100755
--- a/scripts/zap-baseline.sh
+++ b/scripts/zap-baseline.sh
@@ -5,7 +5,8 @@ set -euo pipefail
 # Usage: TARGET=https://test.lomavuokraus.fi ./scripts/zap-baseline.sh
 
 TARGET="${TARGET:-https://test.lomavuokraus.fi}"
-ZAP_IMAGE="${ZAP_IMAGE:-owasp/zap2docker-stable}"
+# Defaults to GHCR image; override with ZAP_IMAGE if needed (e.g. zaproxy/zap-stable)
+ZAP_IMAGE="${ZAP_IMAGE:-ghcr.io/zaproxy/zaproxy:stable}"
 REPORT_DIR="${REPORT_DIR:-reports/security}"
 TIMEOUT_MINUTES="${TIMEOUT_MINUTES:-5}"