Hi Os. I think that (temporarily) whitelisting the IP of the scanner could work for you.
However, I would encourage you to have a higher level discussion as to the purpose of the scan. Do you want to know all the potential problems in the software? Or do you want to know about potential vulnerabilities in your environment as a whole?
Usually the scanner vendors tell you to turn off your protection so that they can generate a longer report. However, ask the question, "If we managed to find a vulnerability in the site, but CloudWAF protected it, would we really dedicate significant resources to fixing it?"
Maybe you would if you are focused on secure coding practices, or if the code may deployed other places without a WAF. However, in these cases, most customers will run their tests in a dedicated testing environment.
Most of the time, the organization is really concerned about what vulnerabilities you may have that CloudWAF ISN'T blocking. (default passwords, bad application logic, etc.)
Jim