can we test injection attacks in API parameters with owasp zap?

I have been trying to solve some warnings from ZAP ( Medium ) but got no luck.I’m trying to run a React app ( currently testing enviroment) and despite setting CORS, Headers, and CSP on my backend ( express ) , it looks like for some URLs that i didn’t personally make (/static,/ws,/sitemap.xml I guess they are from React ) the rules wont apply