WIP: Enable DAST on master and production (!16745) · Merge requests · GitLab.com / www-gitlab-com

Philippe Lafoucrière requested to merge enable_dast_for_production into master Nov 23, 2018

If we want to be able to use DAST correctly on GitLab.com, we must also scan master and therefore on production. Results will appear in the MR Security Widget, Project Dashboard, and Group Dashboard only if the test is running on master.

While zaproxy runs passive checks by default (non-aggressive tests), it should be safe to run it on prod directly. Nevertheless, this change also means we're going to add a lot of traffic on https://about.gitlab.com: one scan per commit on master, so we should double check if we want to/can do that.

@dappelt: What do you think? (Feel free to assign to someone else if needed) /cc @skarbek for the production load risk evaluation /cc @cblake @bikebilly for info

refs https://gitlab.com/gitlab-org/gitlab-ee/issues/6236

Edited Nov 29, 2018 by Philippe Lafoucrière

WIP: Enable DAST on master and production

Merge request reports