Make DAST job using GIT_STRATEGY: none when relevant
Problem to solve
When firing the DAST analysis CI job, the repository will be cloned to be able to access its content. This is useless for now as we don't provide any way to customize DAST analysis by leveraging a config file within the repository.
Though they are open issues (e.g. https://gitlab.com/gitlab-org/gitlab-ee/issues/9904) about adding such support, so it may be necessary to actually have access to the repository content in some cases.
Intended users
Developers
Proposal
Make GIT_STRATEGY
none by default in the vendored template unless there is a reason to do otherwise (e.g. a config file option is given).
Not 100% sure this is achievable though, we need to dig into CI config options.
Documentation
We may update https://docs.gitlab.com/ee/ci/examples/dast.html
What does success look like, and how can we measure that?
Dast job only clone repo when this is relevant.
What is the type of buyer?
Implementation plan
-
Add GIT_STRATEGY
variable to theDAST.gitlab-ci.yml
template -
Verify locally that the repository is not cloned -
Verify locally that a user can extend the dast
job to have the repository be cloned -
Add documentation to https://docs.gitlab.com/ee/user/application_security/dast/#configuration describing how to clone the repository and describe that it's not clone by default (and how it can be cloned)