WIP: Enable DAST on master and production
If we want to be able to use DAST correctly on GitLab.com, we must also scan master
and therefore on production.
Results will appear in the MR Security Widget, Project Dashboard, and Group Dashboard only if the test is running on master
.
While zaproxy runs passive checks by default (non-aggressive tests), it should be safe to run it on prod directly.
Nevertheless, this change also means we're going to add a lot of traffic on https://about.gitlab.com: one scan per commit on master
, so we should double check if we want to/can do that.
@dappelt: What do you think? (Feel free to assign to someone else if needed) /cc @skarbek for the production load risk evaluation /cc @cblake @bikebilly for info
Edited by Philippe Lafoucrière