diff --git a/src/zap.conf b/src/zap.conf
index e384e3518..04a5d8eac 100644
--- a/src/zap.conf
+++ b/src/zap.conf
@@ -48,7 +48,7 @@
 10038	OUTOFSCOPE	http://app:8080/public/img/.*
 10038	OUTOFSCOPE	http://app:8080/public/css/.*
 10038	OUTOFSCOPE	http://app:8080/public/js/.*
-10038	OUTOFSCOPE	http://app:8080/(robots.txt|sitemap.xml)
+10038	OUTOFSCOPE	http://app:8080/(robots.txt|sitemap.xml|TODO)
 # OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers
 10038	OUTOFSCOPE	http://app:8080/openid/login/
 10039	FAIL	(X-Backend-Server Header Information Leak - Passive/beta)