At the moment the ZAProxy plugin does not fail the build if alerts are discovered, which means it's difficult to tell when a new vulnerability is detected. Once we have the ability to indicate a list of accepted alerts (see https://github.com/zaproxy/zaproxy/issues/1843) I think we should fail the build if ZAP finds any alerts. We should probably allow this behaviour to be configured within the job though.