diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 990e1cc..79f9768 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -59,7 +59,7 @@ jobs:
           # Aguardar 5 segundos para o servidor Nginx iniciar
           sleep 5
 
-     # ==========================================
+    # ==========================================
       # ETAPA 3: DAST - TESTE DINÂMICO (OWASP ZAP)
       # ==========================================
       - name: OWASP ZAP Baseline Scan
@@ -69,11 +69,11 @@ jobs:
           mkdir -p /tmp/zap-share
           chmod 777 /tmp/zap-share
           
-          # LIMPEZA PREVENTIVA: Remove o container zap-scanner de execuções passadas, se existir
+          # LIMPEZA PREVENTIVA
           docker rm -f zap-scanner || true
           
-          # Corremos o ZAP apontando o volume para /tmp/zap-share
-          docker run --name zap-scanner \
+          # Corremos o ZAP com "--user root" para evitar erros de permissão (AccessDenied)
+          docker run --user root --name zap-scanner \
             --link website-test-sandbox:website-test-sandbox \
             -v /tmp/zap-share:/zap/wrk/:rw \
             -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \