quickstart: Add Scan Policy option to Automated Scan panel

addOns/quickstart/CHANGELOG.md

@@ -4,6 +4,8 @@ All notable changes to this add-on will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
+### Added
+- Add Scan Policy option to the Automated Scan panel.
 
 
 ## [55] - 2026-03-09

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/AttackPanel.java

@@ -38,6 +38,7 @@
 import org.parosproxy.paros.model.SiteNode;
 import org.parosproxy.paros.view.View;
 import org.zaproxy.zap.extension.alert.ExtensionAlert;
+import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
 import org.zaproxy.zap.extension.search.SearchPanel;
 import org.zaproxy.zap.utils.DisplayUtils;
 import org.zaproxy.zap.view.LayoutHelper;
@@ -52,6 +53,7 @@ public class AttackPanel extends QuickStartSubPanel {
     private ImageIcon icon;
     private JButton attackButton;
     private JButton stopButton;
+    private JComboBox<String> policyField;
     private JComboBox<String> urlField;
     private DefaultComboBoxModel<String> urlModel;
     private JButton selectButton;
@@ -149,6 +151,11 @@ public JPanel getContentPanel() {
             urlSelectPanel.add(this.getUrlField(), LayoutHelper.getGBC(0, 0, 1, 0.5D));
             urlSelectPanel.add(selectButton, LayoutHelper.getGBC(1, 0, 1, 0.0D));
             contentPanel.add(urlSelectPanel, LayoutHelper.getGBC(2, formPanelY, 3, 0.25D));
+            contentPanel.add(
+                    new JLabel(Constant.messages.getString("quickstart.label.policy")),
+                    LayoutHelper.getGBC(
+                            1, ++formPanelY, 1, 0.0D, DisplayUtils.getScaledInsets(5, 5, 5, 5)));
+            contentPanel.add(getPolicyField(), LayoutHelper.getGBC(2, formPanelY, 1, 0.25D));
 
             traditionalSpiderY = ++formPanelY;
             plugableSpiderY = ++formPanelY;
@@ -173,6 +180,41 @@ public JPanel getContentPanel() {
         return contentPanel;
     }
 
+    private JComboBox<String> getPolicyField() {
+        if (policyField == null) {
+            policyField = new JComboBox<>();
+            ExtensionActiveScan extAscan =
+                    Control.getSingleton()
+                            .getExtensionLoader()
+                            .getExtension(ExtensionActiveScan.class);
+            if (extAscan != null) {
+                String savedPolicy =
+                        getExtensionQuickStart().getQuickStartParam().getScanPolicyName();
+                String defaultPolicy = null;
+                for (String name : extAscan.getPolicyManager().getAllPolicyNames()) {
+                    policyField.addItem(name);
+                    if ("Dev Standard".equals(name)) {
+                        defaultPolicy = name;
+                    }
+                }
+                if (savedPolicy != null && !savedPolicy.isEmpty()) {
+                    policyField.setSelectedItem(savedPolicy);
+                } else if (defaultPolicy != null) {
+                    policyField.setSelectedItem(defaultPolicy);
+                }
+            }
+        }
+        return policyField;
+    }
+
+    public String getSelectedPolicy() {
+        if (policyField == null) {
+            return null;
+        }
+        Object selected = policyField.getSelectedItem();
+        return selected != null ? selected.toString() : null;
+    }
+
     private JLabel getProgressLabel() {
         if (progressLabel == null) {
             progressLabel =
@@ -402,6 +444,7 @@ boolean attackUrl() {
             return false;
         }
         this.getExtensionQuickStart().getQuickStartParam().addRecentUrl(urlStr);
+        this.getExtensionQuickStart().getQuickStartParam().setScanPolicyName(getSelectedPolicy());
         getAttackButton().setEnabled(false);
         getStopButton().setEnabled(true);
 

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/AttackThread.java

@@ -29,6 +29,7 @@
 import org.parosproxy.paros.model.SiteNode;
 import org.zaproxy.zap.extension.ascan.ActiveScan;
 import org.zaproxy.zap.extension.ascan.ExtensionActiveScan;
+import org.zaproxy.zap.extension.ascan.ScanPolicy;
 import org.zaproxy.zap.model.Target;
 import org.zaproxy.zap.network.HttpRequestConfig;
 import org.zaproxy.zap.utils.Stats;
@@ -52,6 +53,7 @@ public enum Progress {
     private PlugableSpider plugableSpider;
     private boolean stopAttack = false;
     private boolean useStdSpider;
+    private String scanPolicyName;
 
     private static final Logger LOGGER = LogManager.getLogger(AttackThread.class);
 
@@ -72,6 +74,10 @@ public void setTraditionalSpider(TraditionalSpider traditionalSpider) {
         this.traditionalSpider = traditionalSpider;
     }
 
+    public void setScanPolicyName(String scanPolicyName) {
+        this.scanPolicyName = scanPolicyName;
+    }
+
     public void setPlugableSpider(PlugableSpider plugableSpider) {
         this.plugableSpider = plugableSpider;
     }
@@ -191,7 +197,17 @@ public void run() {
                 return;
             } else {
                 extension.notifyProgress(Progress.ascan);
-                scanId = extAscan.startScan(target);
+                ScanPolicy scanPolicy = null;
+                if (scanPolicyName != null && !scanPolicyName.isEmpty()) {
+                    try {
+                        scanPolicy = extAscan.getPolicyManager().getPolicy(scanPolicyName);
+                    } catch (Exception ex) {
+                        LOGGER.warn("Failed to load policy {}, using default", scanPolicyName);
+                    }
+                } else {
+                    scanPolicy = extAscan.getPolicyManager().getDefaultScanPolicy();
+                }
+                scanId = extAscan.startScan(target, null, new Object[] {scanPolicy});
             }
 
             try {

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/ExtensionQuickStart.java

@@ -319,6 +319,7 @@ public void attack(URL url, boolean useStdSpider) {
         attackThread.setURL(url);
         attackThread.setTraditionalSpider(traditionalSpider);
         attackThread.setPlugableSpider(plugableSpider);
+        attackThread.setScanPolicyName(getQuickStartPanel().getAttackPanel().getSelectedPolicy());
         attackThread.start();
     }
 

addOns/quickstart/src/main/java/org/zaproxy/zap/extension/quickstart/QuickStartParam.java

@@ -63,6 +63,8 @@ public class QuickStartParam extends VersionedAbstractParam {
 
     private static final String PARAM_CLEARED_NEWS_ITEM = PARAM_BASE_KEY + ".clearedNews";
 
+    private static final String PARAM_SCAN_POLICY_NAME = PARAM_BASE_KEY + ".scanPolicyName";
+
     /**
      * The current version of the configurations. Used to keep track of configuration changes
      * between releases, in case changes/updates are needed.
@@ -90,6 +92,7 @@ public class QuickStartParam extends VersionedAbstractParam {
     private String ajaxSpiderSelection;
     private String ajaxSpiderDefaultBrowser;
     private String clearedNewsItem;
+    private String scanPolicyName;
 
     @Override
     protected void parseImpl() {
@@ -250,6 +253,15 @@ public void addRecentUrl(String url) {
         QuickStartHelper.raiseOptionsChangedEvent();
     }
 
+    public String getScanPolicyName() {
+        return scanPolicyName;
+    }
+
+    public void setScanPolicyName(String scanPolicyName) {
+        this.scanPolicyName = scanPolicyName;
+        getConfig().setProperty(PARAM_SCAN_POLICY_NAME, scanPolicyName);
+    }
+
     public String getClearedNewsItem() {
         return clearedNewsItem;
     }

addOns/quickstart/src/main/javahelp/org/zaproxy/zap/extension/quickstart/resources/help/contents/quickstart.html

@@ -29,6 +29,12 @@ <H3>URL to attack</H3>
 This is because https://example.com/test/ is treated as a leaf node internally, which would mean that ZAP would not attack
 URLs like https://example.com/test/1 etc.
 
+<H3>Scan Policy</H3>
+
+The scan policy to use when performing the active scan.
+The last chosen policy will be used by default.
+<br><br>
+
 <H3>Use traditional spider</H3>
 
 The traditional spider explores the application by finding links in HTML pages. 

addOns/quickstart/src/main/resources/org/zaproxy/zap/extension/quickstart/resources/Messages.properties

@@ -87,6 +87,7 @@ quickstart.label.exploreurl = URL to explore:
 quickstart.label.hud = Enable HUD:
 quickstart.label.hud.warn.scope = Warning: the HUD is only enabled for URLs in scope
 quickstart.label.news = News
+quickstart.label.policy = Scan Policy:
 quickstart.label.progress = Progress:
 quickstart.label.show = Show this tab on start up:
 quickstart.label.tradspider = Use traditional spider: