diff --git a/docs/codacy-api/examples/triggering-dast-scans.md b/docs/codacy-api/examples/triggering-dast-scans.md index 0440d2148c..3844f87481 100644 --- a/docs/codacy-api/examples/triggering-dast-scans.md +++ b/docs/codacy-api/examples/triggering-dast-scans.md @@ -18,6 +18,19 @@ Before the automation process itself, you need to create a target. Targets are i Targets only need to be created once. Note that **targets are immutable** — if you need to change the URL, definition, or authentication, you'll need to delete the target and create a new one. +!!! important + **Do not run API scans on production enviroments as our API scanners may cause potential downtime.** + + Our DAST API scanner performs active security testing by sending a large number of requests to your application. When using authenticated API scanning, this activity can be even more intensive, as ZAP explores and probes more of your API surface. + + Depending on how your target environment is configured, this may: + + - Trigger rate limiting or throttling + - Appear as a high volume of traffic, similar to a load test + - Lead to incomplete scan results if key endpoints are blocked or limited + + We recommend running scans in a **test or staging environment**, or coordinating with your infrastructure team to ensure that your environment can safely handle the load. + To create a target, use the following API request: ```bash diff --git a/docs/organizations/managing-security-and-risk.md b/docs/organizations/managing-security-and-risk.md index 0e301e5d57..acb2e1abd5 100644 --- a/docs/organizations/managing-security-and-risk.md +++ b/docs/organizations/managing-security-and-risk.md @@ -587,7 +587,20 @@ Codacy supports two types of scanning: !!! note Already using ZAP? [Upload your results via the API.](../codacy-api/examples/uploading-dast-results.md) -## Creating an App Scanning target +### Creating an App Scanning target + +!!! important + **Do not run API scans on production enviroments as our API scanners may cause potential downtime.** + + Our DAST API scanner performs active security testing by sending a large number of requests to your application. When using authenticated API scanning, this activity can be even more intensive, as ZAP explores and probes more of your API surface. + + Depending on how your target environment is configured, this may: + + - Trigger rate limiting or throttling + - Appear as a high volume of traffic, similar to a load test + - Lead to incomplete scan results if key endpoints are blocked or limited + + We recommend running scans in a **test or staging environment**, or coordinating with your infrastructure team to ensure that your environment can safely handle the load. When creating a scan target, you'll be able to choose between a Web App or an API. Configuring a Web App will only require a target URL, while APIs will have other requirements: @@ -596,10 +609,7 @@ When creating a scan target, you'll be able to choose between a Web App or an AP API targets optionally support **header-based authentication**. As you create a target, keep in mind you may not be able to view or change certain fields later (to change your configurations you may need to delete and create a new target). -!!! important - Avoid running API scans on production enviroments as our API scanners may cause potential downtime. - -!!! important +!!! note If exposing your API specification isn't feasible for your team, let us know via support or your account representative.