quickstart: Add Scan Policy option to Automated Scan panel (#7300)

Author: Adarshkumar0509

addOns/quickstart/CHANGELOG.md

@@ -4,6 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+### Added
+- Add Scan Policy option to the Automated Scan panel.
 
 
 ## [55] - 2026-03-09

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/AttackPanel.java

@@ -38,6 +38,8 @@
 import org.parosproxy.paros.model.SiteNode;
 import org.parosproxy.paros.view.View;
 import org.zaproxy.zap.extension.alert.ExtensionAlert;
+import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
+import org.zaproxy.zap.extension.ascan.PolicyManager;
 import org.zaproxy.zap.extension.search.SearchPanel;
 import org.zaproxy.zap.utils.DisplayUtils;
 import org.zaproxy.zap.view.LayoutHelper;
@@ -48,10 +50,12 @@ public class AttackPanel extends QuickStartSubPanel {
     private static final long serialVersionUID = 1L;
 
     private static final String DEFAULT_VALUE_URL_FIELD = "http://";
+    private static final String DEFAULT_SCAN_POLICY = "Dev Standard";
 
     private ImageIcon icon;
     private JButton attackButton;
     private JButton stopButton;
+    private JComboBox<String> policyField;
     private JComboBox<String> urlField;
     private DefaultComboBoxModel<String> urlModel;
     private JButton selectButton;
@@ -149,6 +153,11 @@ public JPanel getContentPanel() {
             urlSelectPanel.add(this.getUrlField(), LayoutHelper.getGBC(0, 0, 1, 0.5D));
             urlSelectPanel.add(selectButton, LayoutHelper.getGBC(1, 0, 1, 0.0D));
             contentPanel.add(urlSelectPanel, LayoutHelper.getGBC(2, formPanelY, 3, 0.25D));
+            contentPanel.add(
+                    new JLabel(Constant.messages.getString("quickstart.label.policy")),
+                    LayoutHelper.getGBC(
+                            1, ++formPanelY, 1, 0.0D, DisplayUtils.getScaledInsets(5, 5, 5, 5)));
+            contentPanel.add(getPolicyField(), LayoutHelper.getGBC(2, formPanelY, 1, 0.25D));
 
             traditionalSpiderY = ++formPanelY;
             plugableSpiderY = ++formPanelY;
@@ -173,6 +182,35 @@ public JPanel getContentPanel() {
         return contentPanel;
     }
 
+    private JComboBox<String> getPolicyField() {
+        if (policyField == null) {
+            policyField = new JComboBox<>();
+            ExtensionActiveScan extAscan =
+                    Control.getSingleton()
+                            .getExtensionLoader()
+                            .getExtension(ExtensionActiveScan.class);
+            if (extAscan != null) {
+                extAscan.getPolicyManager().getAllPolicyNames().forEach(policyField::addItem);
+            }
+        }
+        return policyField;
+    }
+
+    private void selectScanPolicy() {
+        String savedPolicy = getExtensionQuickStart().getQuickStartParam().getScanPolicyName();
+        if (!setPolicy(savedPolicy)) {
+            setPolicy(DEFAULT_SCAN_POLICY);
+        }
+    }
+
+    private boolean setPolicy(String policyName) {
+        if (policyName != null && PolicyManager.policyExists(policyName)) {
+            policyField.setSelectedItem(policyName);
+            return true;
+        }
+        return false;
+    }
+
     private JLabel getProgressLabel() {
         if (progressLabel == null) {
             progressLabel =
@@ -401,12 +439,17 @@ boolean attackUrl() {
             this.getUrlField().requestFocusInWindow();
             return false;
         }
+        String selectedPolicy = (String) policyField.getSelectedItem();
+        getExtensionQuickStart().getQuickStartParam().setScanPolicyName(selectedPolicy);
         this.getExtensionQuickStart().getQuickStartParam().addRecentUrl(urlStr);
         getAttackButton().setEnabled(false);
         getStopButton().setEnabled(true);
 
         getExtensionQuickStart()
-                .attack(url, traditionalSpider != null && traditionalSpider.isSelected());
+                .attack(
+                        url,
+                        traditionalSpider != null && traditionalSpider.isSelected(),
+                        selectedPolicy);
         setSpiderButtonsEnabled(false);
         return true;
     }
@@ -465,10 +508,11 @@ protected void notifyProgress(AttackThread.Progress progress, String msg) {
 
     public void optionsLoaded(QuickStartParam quickStartParam) {
         setRecentUrls();
+        selectScanPolicy();
     }
 
     public void optionsChanged(OptionsParam optionsParam) {
-        setRecentUrls();
+        optionsLoaded(optionsParam.getParamSet(QuickStartParam.class));
     }
 
     @Override

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/AttackThread.java

@@ -29,6 +29,7 @@
 import org.parosproxy.paros.model.SiteNode;
 import org.zaproxy.zap.extension.ascan.ActiveScan;
 import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
+import org.zaproxy.zap.extension.ascan.ScanPolicy;
 import org.zaproxy.zap.model.Target;
 import org.zaproxy.zap.network.HttpRequestConfig;
 import org.zaproxy.zap.utils.Stats;
@@ -52,6 +53,7 @@ public enum Progress {
     private PlugableSpider plugableSpider;
     private boolean stopAttack = false;
     private boolean useStdSpider;
+    private String scanPolicyName;
 
     private static final Logger LOGGER = LogManager.getLogger(AttackThread.class);
 
@@ -72,6 +74,10 @@ public void setTraditionalSpider(TraditionalSpider traditionalSpider) {
         this.traditionalSpider = traditionalSpider;
     }
 
+    public void setScanPolicyName(String scanPolicyName) {
+        this.scanPolicyName = scanPolicyName;
+    }
+
     public void setPlugableSpider(PlugableSpider plugableSpider) {
         this.plugableSpider = plugableSpider;
     }
@@ -191,7 +197,18 @@ public void run() {
                 return;
             } else {
                 extension.notifyProgress(Progress.ascan);
-                scanId = extAscan.startScan(target);
+                ScanPolicy scanPolicy = null;
+                if (scanPolicyName != null && !scanPolicyName.isEmpty()) {
+                    try {
+                        scanPolicy = extAscan.getPolicyManager().getPolicy(scanPolicyName);
+                    } catch (Exception ex) {
+                        LOGGER.warn("Failed to load policy {}, using default", scanPolicyName);
+                    }
+                }
+                if (scanPolicy == null) {
+                    scanPolicy = extAscan.getPolicyManager().getDefaultScanPolicy();
+                }
+                scanId = extAscan.startScan(target, null, new Object[] {scanPolicy});
             }
 
             try {

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/ExtensionQuickStart.java

@@ -312,13 +312,18 @@ public String getUIName() {
     }
 
     public void attack(URL url, boolean useStdSpider) {
+        attack(url, useStdSpider, null);
+    }
+
+    public void attack(URL url, boolean useStdSpider, String policyName) {
         if (attackThread != null && attackThread.isAlive()) {
             return;
         }
         attackThread = new AttackThread(this, useStdSpider);
         attackThread.setURL(url);
         attackThread.setTraditionalSpider(traditionalSpider);
         attackThread.setPlugableSpider(plugableSpider);
+        attackThread.setScanPolicyName(policyName);
         attackThread.start();
     }
 

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/QuickStartParam.java

@@ -63,6 +63,8 @@ public class QuickStartParam extends VersionedAbstractParam {
 
     private static final String PARAM_CLEARED_NEWS_ITEM = PARAM_BASE_KEY + ".clearedNews";
 
+    private static final String PARAM_SCAN_POLICY_NAME = PARAM_BASE_KEY + ".scanPolicyName";
+
     /**
      * The current version of the configurations. Used to keep track of configuration changes
      * between releases, in case changes/updates are needed.
@@ -90,6 +92,7 @@ public class QuickStartParam extends VersionedAbstractParam {
     private String ajaxSpiderSelection;
     private String ajaxSpiderDefaultBrowser;
     private String clearedNewsItem;
+    private String scanPolicyName;
 
     @Override
     protected void parseImpl() {
@@ -138,6 +141,11 @@ protected void parseImpl() {
         } catch (Exception e) {
             LOGGER.error("Failed to load the cleared news item configuration", e);
         }
+        try {
+            scanPolicyName = getConfig().getString(PARAM_SCAN_POLICY_NAME, "");
+        } catch (Exception e) {
+            LOGGER.error("Failed to load the cleared news item configuration", e);
+        }
     }
 
     @Override
@@ -250,6 +258,15 @@ public void addRecentUrl(String url) {
         QuickStartHelper.raiseOptionsChangedEvent();
     }
 
+    public String getScanPolicyName() {
+        return scanPolicyName;
+    }
+
+    public void setScanPolicyName(String scanPolicyName) {
+        this.scanPolicyName = scanPolicyName;
+        getConfig().setProperty(PARAM_SCAN_POLICY_NAME, scanPolicyName);
+    }
+
     public String getClearedNewsItem() {
         return clearedNewsItem;
     }

addOns/quickstart/src/main/javahelp/org/zaproxy/zap/extension/quickstart/resources/help/contents/quickstart.html

@@ -29,6 +29,11 @@ <H3>URL to attack</H3>
 This is because https://example.com/test/ is treated as a leaf node internally, which would mean that ZAP would not attack
 URLs like https://example.com/test/1 etc.
 
+<H3>Scan Policy</H3>
+
+The scan policy to use when performing the active scan.
+Note that the policies will not be shown dynamically, any added/removed policies will be missing until a restart is done.
+
 <H3>Use traditional spider</H3>
 
 The traditional spider explores the application by finding links in HTML pages. 

addOns/quickstart/src/main/resources/org/zaproxy/zap/extension/quickstart/resources/Messages.properties

@@ -87,6 +87,7 @@ quickstart.label.exploreurl = URL to explore:
 quickstart.label.hud = Enable HUD:
 quickstart.label.hud.warn.scope = Warning: the HUD is only enabled for URLs in scope
 quickstart.label.news = News
+quickstart.label.policy = Scan Policy:
 quickstart.label.progress = Progress:
 quickstart.label.show = Show this tab on start up:
 quickstart.label.tradspider = Use traditional spider:

addOns/quickstart/src/test/java/org/zaproxy/zap/extension/quickstart/QuickStartParamUnitTest.java

@@ -0,0 +1,67 @@
+/*
+ * Zed Attack Proxy (ZAP) and its related class files.
+ *
+ * ZAP is an HTTP/HTTPS proxy for assessing web application security.
+ *
+ * Copyright 2026 The ZAP Development Team
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.zaproxy.zap.extension.quickstart;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.is;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.zaproxy.zap.utils.ZapXmlConfiguration;
+
+/** Unit test for {@link QuickStartParam}. */
+class QuickStartParamUnitTest {
+
+    private QuickStartParam param;
+    private ZapXmlConfiguration configuration;
+
+    @BeforeEach
+    void setUp() {
+        param = new QuickStartParam();
+        configuration = new ZapXmlConfiguration();
+        param.load(configuration);
+    }
+
+    @Test
+    void shouldDefaultScanPolicyNameToEmpty() {
+        assertThat(param.getScanPolicyName(), is(equalTo("")));
+    }
+
+    @Test
+    void shouldSaveScanPolicyName() {
+        // Given
+        String policyName = "Test Policy";
+        // When
+        param.setScanPolicyName(policyName);
+        // Then
+        assertThat(param.getScanPolicyName(), is(equalTo(policyName)));
+    }
+
+    @Test
+    void shouldLoadScanPolicyNameFromConfig() {
+        // Given
+        configuration.setProperty("quickstart.scanPolicyName", "My Policy");
+        // When
+        param.load(configuration);
+        // Then
+        assertThat(param.getScanPolicyName(), is(equalTo("My Policy")));
+    }
+}