Why We Should Stop or Change Mandatory ZAP DAST Scans

[scherersebastian]

Forcing ZAP DAST scans has made things tough for developers, who often deal with integration problems on their own. This ZAP workflow
https://github.com/eclipse-tractusx/puris/blob/ci/delete-veracode/.github/workflows/owasp-dast.yaml

isn't bad itself, but it's not giving us the results we need.
This isn't the developers' fault—they're just doing what they're told without much help.
This isn't useful.
I suggest we either get rid of the DAST Quality Gate or change it to help our developers better.

[RoKrish14]

@scherersebastian : Yes, we had detailed look into the ZAP tool and have already made a note that we will not mandate the use to perform authenticated scans. The decision on whether we exclude ZAP or to exclude DAST Scans itself is under consideration. It will be notified soon.