To add to this:
The scope of the scanner (or better of the NASL scripts used by it) is currently to find “known vulnerabilities in known software” (e.g. defined by CVEs, vendor advisories about vulnerabilities and similar).
Detection of “unknown” / not published vulnerabilities in unknown software (e.g. a custom web application existing on /webapp) is currently outside of the scope and would require a previously mentioned HTTP / Web Application Scanner.
There are still HTTP based checks done for “known vulnerabilities in known software” if there is a software like e.g. WordPress installed on /webapp.
For such cases and if /webapp wasn’t detected the additional directory could be added to the following scanner preferences (see GSM Manual for more info) within the used scan config (description from man openvas):
cgi_path
By default, openvas looks for default CGIs in /cgi-bin and /scripts. You may change these to something else to reflect the policy of your site. The syntax of this option is the same as the
shell $PATH variable: path1:path2:...
As an additional reference something similar had been also discussed in the scope of API scanning capabilities here: