Auto DevOps: dast job runs even if review job is disabled
Problem to solve
The review
and dast
jobs in Auto DevOps can be disabled using the REVIEW_DISABLED
and DAST_DISABLED
variables, respectively. dast
depends on the review environment deployed by the review
job. Disabling review
but not dast
leads to the dast
job running and failing.
Further details
The dast
job is staged after the review
job and tests the review app. The review
job stores the URL to the review environment in an artifact file named environment_url.txt
. If the review
job is disabled by setting the REVIEW_DISABLED
variable, I believe the dast
job should also be disabled regardless of whether or not DAST_DISABLED
is specified, because the review environment is not available to be tested.
The except block for the dast
job currently looks like this.
except:
refs:
- master
variables:
- $DAST_DISABLED
Proposal
Add $REVIEW_DISABLED
to the list of variables in except.
except:
refs:
- master
variables:
- $DAST_DISABLED
- $REVIEW_DISABLED
What does success look like, and how can we measure that?
If the review apps are disabled using REVIEW_DISABLED
, the dast
job should not continue to run and fail an Auto DevOps pipeline. Running Auto DevOps with REVIEW_DISABLED
should produce a pipeline that can succeed without further intervention.
Links / references
Example output of the dast
job with REVIEW_DISABLED
set.
Running with gitlab-runner 11.0.0 (5396d320)
on bastion fbd2738c
Using Docker executor with image registry.gitlab.com/gitlab-org/security-products/zaproxy ...
Pulling docker image registry.gitlab.com/gitlab-org/security-products/zaproxy ...
Using docker image sha256:0e87216511f144e84a006e7c978183be04c418e04a146e8ffade980ca2ee0043 for registry.gitlab.com/gitlab-org/security-products/zaproxy ...
Running on runner-fbd2738c-project-6-concurrent-0 via runner-fbd2738c-aor2-sv-1532126151-f6215be2...
Fetching changes...
Removing gl-sast-report.json
Removing sts-contract-rest/
HEAD is now at 384a966 Specify COMPOSE_FILEs for review app
Checking out 384a9666 as ci-devops-migration...
Skipping Git submodules setup
Downloading artifacts for bundle (9384)...
Downloading artifacts from coordinator... ok id=9384 responseStatus=200 OK token=W7YxzBBL
Downloading artifacts for code_quality (9386)...
Downloading artifacts from coordinator... ok id=9386 responseStatus=200 OK token=RphLeFBU
Downloading artifacts for sast (9387)...
Downloading artifacts from coordinator... ok id=9387 responseStatus=200 OK token=o9hFt5FV
Downloading artifacts for container_scanning (9388)...
Downloading artifacts from coordinator... ok id=9388 responseStatus=200 OK token=xcgK3SMk
$ # Auto DevOps variables and functions # collapsed multi-line command
$ # Oildex Auto DevOps additions # collapsed multi-line command
$ dast
cat: environment_url.txt: No such file or directory
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-c config_file config file to use to INFO, IGNORE or FAIL warnings
-u config_url URL of config file to use to INFO, IGNORE or FAIL warnings
-g gen_file generate default config file (all rules set to WARN)
-m mins the number of minutes to spider for (default 1)
-r report_html file to write the full ZAP HTML report
-w report_md file to write the full ZAP Wiki (Markdown) report
-x report_xml file to write the full ZAP XML report
-J report_json file to write the full ZAP JSON document
-a include the alpha passive scan rules as well
-d show debug messages
-P specify listen port
-D delay in seconds to wait for passive scanning
-i default rules not in the config file to INFO
-j use the Ajax spider in addition to the traditional one
-l level minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs
-n context_file context file which will be loaded prior to spidering the target
-p progress_file progress file which specifies issues that are being addressed
-s short output format - dont show PASSes or example URLs
-T max time in minutes to wait for ZAP to start and the passive scan to run
-z zap_options ZAP command line options e.g. -z "-config aaa=bbb -config ccc=ddd"
Authentication:
--auth-url login form URL
--auth-username username
--auth-password password
--auth-username-field name of username input field
--auth-password-field name of password input field
--auth-submit-field name or value of submit input
--auth-first-page enable two-page authentication
--auth-first-submit-field name or value of submit input of first page
--auth-exclude-urls comma separated list of URLs to exclude, supply all URLs causing logout
For more details see https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
cp: cannot stat '/zap/wrk/gl-dast-report.json': No such file or directory
ERROR: Job failed: exit code 1