Make it easier to opt-in for DAST full scans
Problem to solve
Currently, you have to opt-in manually to a full DAST scan by setting a specific environment variable: https://docs.gitlab.com/ee/user/application_security/dast/#full-scan
Some of the discussion around why we did not enable this by default is here: https://gitlab.com/gitlab-org/gitlab-ee/issues/7182#note_163978078. It largerly boils down to two core issues:
- The full scan takes a significantly longer amount of time to run
- It actively tries to compromise your site, which may be undesirable if it is production
Intended users
Further details
Proposal
We should determine a way to run this out of the box on review environments. A few solutions were identified in https://gitlab.com/gitlab-org/gitlab-ee/issues/7182#note_163978078.
One option is to add a separate manual job, only relevant for Review environments, which can be manually triggered to do a full scan. This avoid the issues with long test runs, which would slow down iteration cycles with long CI pipelines. It would also avoid running the full scan on environments like staging or production.
Permissions and Security
Since the full scan actively tries to compromise the various pages, we should be careful about what it is run against.