diff --git a/dist/rapidast/README.md b/dist/rapidast/README.md
new file mode 100644
index 000000000..4e3615e70
--- /dev/null
+++ b/dist/rapidast/README.md
@@ -0,0 +1,26 @@
+# RapidAST Security Scanning
+
+Run automated security scans against OpenShift APIs using RapidAST container.
+
+## Quick Start
+
+```bash
+# Pull the container
+podman pull quay.io/redhatproductsecurity/rapidast:latest
+
+# Create results directory
+mkdir -p results
+
+# Run security scan
+podman run --rm \
+  -v $(pwd)/rapidast-config.yaml:/tmp/config.yaml \
+  -v $(pwd)/results:/opt/rapidast/results \
+  quay.io/redhatproductsecurity/rapidast:latest \
+  --config /tmp/config.yaml
+```
+
+## Configuration
+
+- `rapidast-config.yaml`: Scan configuration for OpenShift upgrades API
+- Disables only cookie/session rules (appropriate for stateless APIs)
+- Uses passive scanning (safe for production)
diff --git a/dist/rapidast/rapidast-config.yaml b/dist/rapidast/rapidast-config.yaml
new file mode 100644
index 000000000..1246ed05e
--- /dev/null
+++ b/dist/rapidast/rapidast-config.yaml
@@ -0,0 +1,37 @@
+# RapidAST Configuration for OpenShift Upgrades API Security Scanning
+# This configuration is optimized for stateless REST APIs
+# - Uses passive scanning (safe for production)
+# - Disables only cookie/session rules (not applicable to stateless APIs)
+# - Provides comprehensive security coverage
+
+config:
+  configVersion: 6
+
+# Application configuration
+application:
+  shortName: "openshift-upgrades-api"  # Display name for reports
+  url: "https://api.stage.openshift.com"  # Base URL (without path) stage as example  
+
+# General settings
+general:
+  # No authentication required for the public API
+  # For authenticated APIs, add oauth2_rtoken, http_basic, etc.
+
+# Scanner configurations
+scanners:
+  zap:  # OWASP ZAP scanner
+    # OpenAPI specification-based scanning
+    apiScan:
+      apis:
+        apiUrl: "https://api.stage.openshift.com/api/upgrades_info/openapi"
+
+    # Passive scanning rules (analyzes traffic without active attacks)
+    passiveScan:
+      # Disabled rules appropriate for stateless APIs:
+      # 10054: Cookie without SameSite Attribute (not applicable)
+      # 10112: Session Management Response Identified (not applicable)
+      disabledRules: "10054,10112"
+
+    # Additional ZAP extensions
+    miscOptions:
+      additionalAddons: "ascanrulesBeta"  # Beta active scan rules