diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 464c209b08bf3017fb0b60cfd2b8b1e73936df07..881f7352f4000ec7055e4bb93c5f6c1b1ce5391d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,8 +1,8 @@
 stages:
 - test
 - build-review
-- quality-security # TODO
 - review
+- quality-security # TODO
 - release
 
 variables:
@@ -25,37 +25,25 @@ include:
 # - 'https://git.dbogatov.org/templates/ci-snippets/raw/master/code-quality.yml'
 # - 'https://git.dbogatov.org/templates/ci-snippets/raw/master/sast.yml'
 # - 'https://git.dbogatov.org/templates/ci-snippets/raw/master/deps-scan.yml'
+# - 'https://git.dbogatov.org/templates/ci-snippets/raw/master/container-scan.yml'
 
 - 'https://git.dbogatov.org/templates/ci-snippets/raw/master/simple-website/dockerify.yml'
 - 'https://git.dbogatov.org/templates/ci-snippets/raw/master/simple-website/pages.yml'
 
-container-scan:
+dast:
   stage: quality-security
-  image: docker:stable
+  image: registry.gitlab.com/gitlab-org/security-products/zaproxy
   variables:
-    DOCKER_DRIVER: overlay2
-    CI_APPLICATION_TAG: latest
+    website: "https://review:$AUTHPASSWORD@$CI_BUILD_REF_NAME-$CI_PROJECT_NAME.review.dbogatov.org"
   allow_failure: true
-  services:
-    - docker:stable-dind
   script:
-    - export CI_APPLICATION_REPOSITORY="registry.dbogatov.org/$REPOLOWER/review/$CI_COMMIT_REF_NAME"
-    - docker run -d --name db arminc/clair-db:latest
-    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
-    - apk add -U wget ca-certificates
-    - echo ${CI_APPLICATION_REPOSITORY}
-    - docker pull ${CI_APPLICATION_REPOSITORY}
-    - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
-    - mv clair-scanner_linux_amd64 clair-scanner
-    - chmod +x clair-scanner
-    - touch clair-whitelist.yml
-    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
-    - retries=0
-    - echo "Waiting for clair daemon to start"
-    - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
-    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY} || true
+    - mkdir /zap/wrk/
+    - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
+    - cp /zap/wrk/gl-dast-report.json .
   artifacts:
     reports:
-      container_scanning: gl-container-scanning-report.json
+      dast: gl-dast-report.json
+  when: delayed
+    start_in: 1 minutes
   tags:
   - docker