How to fix passive scan only on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. Adobe Commerce (self-hosted or cloud) gives you full server access, making it the most straightforward platform for DAST. Set up a staging environment that mirrors production — same Magento version, same extensions, same configuration.
2. Restrict staging access: configure your web server (Nginx/Apache) or CDN to whitelist only your IP for DAST traffic, and disable indexing via robots.txt on staging.
3. Install OWASP ZAP on a local or CI machine. Set the target to your staging URL (e.g. https://staging.yourstore.com).
4. Configure authenticated scanning: record a ZAP login script using a Magento test-customer account to allow ZAP to scan cart, checkout, customer account, and any custom REST/GraphQL API endpoints under /rest/ and /graphql.
5. Run the Active Scan. Magento's common risk areas include custom modules, third-party extensions, and the Admin Panel URL — ensure the Admin is not on the default /admin path and is IP-restricted.
6. Integrate ZAP CLI into your CI/CD pipeline (e.g. GitHub Actions, GitLab CI) so a DAST scan runs automatically against staging on every release branch before merge to production.

What is passive scan only?

Automated security scanners that check your live store passively — inspecting HTTP headers, TLS certificates, cookies, and DNS records — can only see what is publicly visible without logging in or submitting forms. They cannot detect deeper vulnerabilities like SQL injection, broken authentication, insecure API endpoints, or business-logic flaws. Dynamic Application Security Testing (DAST) tools, such as OWASP ZAP, actively probe a running copy of your application the way a real attacker would — sending crafted requests, testing login flows, and fuzzing inputs — to surface vulnerabilities a passive scan will never find. Running DAST against a staging environment (never your live store) gives you a much more complete security picture before code reaches customers.

Security misconfigurations and undetected vulnerabilities are the #5 risk on the OWASP Top Ten and are a leading cause of data breaches in ecommerce — exposing customer payment data, personal information, and admin credentials. A breach can result in PCI-DSS non-compliance fines, chargebacks, loss of payment-processor accounts, and severe reputational damage that directly destroys revenue. Relying solely on passive header checks leaves entire attack surfaces — checkout flows, account login, coupon logic, admin APIs — completely untested. Adding even a basic DAST scan to your pre-release checklist dramatically reduces the chance of shipping a critical vulnerability to production.

See the complete Passive scan only guide for every platform and the full background.