diff --git a/.github/workflows/run-ci-cd.yaml b/.github/workflows/run-ci-cd.yaml
index dda2191aaa..533f8de79f 100644
--- a/.github/workflows/run-ci-cd.yaml
+++ b/.github/workflows/run-ci-cd.yaml
@@ -602,28 +602,31 @@ jobs:
         working-directory: frontend
 
   run-staging-zap-baseline-scan:
-    name: Run ZAP Baseline Scan
+    name: Run staging ZAP baseline scan
     needs:
       - deploy-staging-nest-proxy
     permissions:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - name: Run ZAP Baseline Scan
+      - name: Check out repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+
+      - name: Run baseline scan
         uses: zaproxy/action-baseline@de8ad967d3548d44ef623df22cf95c3b0baf8b25
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           target: 'https://nest.owasp.dev'
           allow_issue_writing: false
           fail_action: false
-          cmd_options: '-a -r zap-report.html'
+          cmd_options: '-a -c .zapconfig -r report.html '
 
-      - name: Upload ZAP report
+      - name: Upload report
         if: always()
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: zap-baseline-scan-report-${{ github.run_id }}
-          path: zap-report.html
+          path: report.html
 
 
   build-production-images:
@@ -943,25 +946,28 @@ jobs:
         run: ansible-playbook -i inventory.yaml production/proxy.yaml -e "github_workspace=$GITHUB_WORKSPACE"
 
   run-production-zap-baseline-scan:
-    name: Run ZAP Baseline Scan
+    name: Run production ZAP baseline scan
     needs:
       - deploy-production-nest-proxy
     permissions:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - name: Run ZAP Baseline Scan
+      - name: Check out repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+
+      - name: Run baseline scan
         uses: zaproxy/action-baseline@de8ad967d3548d44ef623df22cf95c3b0baf8b25
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           target: 'https://nest.owasp.org'
           allow_issue_writing: false
           fail_action: false
-          cmd_options: '-a -r zap-report.html'
+          cmd_options: '-a -c .zapconfig -r report.html '
 
-      - name: Upload ZAP report
+      - name: Upload report
         if: always()
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
           name: zap-baseline-scan-report-${{ github.run_id }}
-          path: zap-report.html
+          path: report.html
diff --git a/.zapconfig b/.zapconfig
new file mode 100644
index 0000000000..8f7501081c
--- /dev/null
+++ b/.zapconfig
@@ -0,0 +1,4 @@
+# False positive findings.
+
+# PII disclosure.
+10062	IGNORE	https://nest.owasp.(dev|org)/sitemap.xml
diff --git a/cspell/custom-dict.txt b/cspell/custom-dict.txt
index 01c56a3d6b..58bc30c83a 100644
--- a/cspell/custom-dict.txt
+++ b/cspell/custom-dict.txt
@@ -145,6 +145,7 @@ xdg
 xdist
 xoxb
 xsser
+zapconfig
 zaproxy
 zsc
 éàëîôû