We should configuring ZAP proxy for automated DAST scanning by setting up a context against copi as it is running in a git workflow. We should be running spidering (AJAX) followed by active scanning to detect vulnerabilities. For CI/CD automation, we need to use the ZAP Docker container with pre-defined configuration files to run scans in headless mode. The generated reports on injection and XSS need to be uploaded to the pre-release tag.

Steps for Automated DAST Scanning

1. Install and Start ZAP: Download the desktop or Docker version. For automation, the Docker image (owasp/zap2docker-stable) is recommended.
2. Define the Target (Context):
   Desktop: Use the "Quick Start" tab to enter the target URL: http://127.0.0.1:4000/games/new
3. Automation: Create a context.conf file to define the scope. We don’t need authentication or session management methods.
4. Configure Spidering (Discovery):
   Use the AJAX Spider (via Tools > AJAX Spider) to map the site.
5. Configure Active Scan (Attacking)
6. Configure policies to check for specific vulnerabilities (XSS, SQL Injection).
7. Set the scan mode (e.g., to "Protected" to avoid attacking out-of-scope sites).
8. Run the Automated Scan on master:
   Command Line/CI/CD: Use the packaged scans (Full Scan) via Docker.
   bash: docker run -t owasp/zap2docker-stable zap-full-scan.py -t http://127.0.0.1:4000/games/new -r copi_dast_report.html
9. Upload Reports to pre-release tag: Generate HTML and JSON reports to pre-release