What I'm doing is:
Starting ZAP to listen on some port
zap.bat -daemon -host localhost -port 2355 -config api.disablekey=true
Starting new session
curl -X GET "http://localhost:2355/JSON/core/action/newSession/?zapapiformat=JSON&formMethod=GET&name=&overwrite=" -H "cache-control: no-cache"
Through REST service, giving it a context, which includes only one URL pattern
curl -X GET "http://localhost:2355/JSON/context/action/importContext/?zapapiformat=JSON&formMethod=GET&contextFile=some-test-context.context" -H "cache-control: no-cache"
HERE I launch selenium test with browser bind to a proxy:2355
Starting spider
curl -X GET "http://localhost:2355/JSON/spider/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&maxChildren=&recurse=&contextName=some-test-context&subtreeOnly=" -H "cache-control: no-cache"
Starting active scan
curl -X GET "http://localhost:2355/JSON/ascan/action/scan/?zapapiformat=JSON&apikey=&formMethod=GET&url=&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=2" -H "cache-control: no-cache"
(2, because there is always id#1 context, Default one)
And in the end I'm getting report
curl -X GET "http://localhost:2355/OTHER/core/other/htmlreport/?formMethod=GET" -H "cache-control: no-cache" -H "content: application/json"
I'm pretty sure the context path is correct and exists (no read error) I'm pretty sure I specified correct name of context and id
Anyway, when I get report, there are scan results NOT only on the URL from the context. But also on production links, 3rd party sites, etc.
Am I expecting smth wrong or forgetting smth?
The browser will be requesting those URLs. ZAP will perform passive scanning on all requests that are proxied through it, and any potential vulnerabilities it finds will end up in the report. So its working as expected :)
You can either just ignore them or use one of the optional add-ons that allows you to filter the report.