DAST and VAPT
OWASP ZAP runs after deployment to the release/Test environment, not on every source commit. Start with a baseline passive scan against the same DNS/load-balancer entry point used by users. Private environments require a runner with network access.
API scans consume approved OpenAPI specifications for externally reachable backend endpoints. Findings are tuned before becoming hard gates; high-confidence high-severity findings block release.
ZAP baseline and API reports are reimported into DefectDojo from the post-deployment workflow. Use the service Product, the DAST - release environment engagement, and stable tests such as ZAP Baseline Scan and ZAP API Scan. DefectDojo is the system of record for deduplication, finding lifecycle, and reporting; GitHub Actions remains responsible for running the scans and enforcing the release gate. See DefectDojo Integration for the required import model.
VAPT is broader than ZAP. Manual testers explore authorization, business logic, chained weaknesses, agent/tool abuse, and platform-specific behavior. Perform VAPT before major external releases, after material attack-surface changes, or on a scheduled risk-based cadence.
Import external VAPT results into a separate time-bounded engagement, for example External VAPT - 2026 Q3. Use the vendor parser where available, otherwise DefectDojo’s generic findings import. Do not mix VAPT findings into recurring CI/CD scanner tests.