Baseline scan

• Script: scripts/zap-baseline.sh
• Default target: https://test.lomavuokraus.fi (override with TARGET).
• Reports: reports/security/zap-report.html (also JSON/XML).
• Example: TARGET=https://staging.lomavuokraus.fi ./scripts/zap-baseline.sh
• Duration: ~5 minutes by default (TIMEOUT_MINUTES env).
• Docker image: owasp/zap2docker-stable (override with ZAP_IMAGE).

Auth considerations

• The baseline scan is unauthenticated; it covers public pages and APIs.
• For authenticated testing, generate a session cookie manually and pass via -z extras in the script or run an active scan with a ZAP context file.
• Keep admin creds out of the script; prefer test accounts and the testing environment.

Next steps

• Add ZAP active scans with context + logged-in session for deeper coverage.
• Consider scheduling scans against test env before releases.
• Track findings in issues; rerun after auth/role changes.