DAST fails when using only DAST_WEBSITE
Summary
DAST should support DAST_WEBSITE
var instead of the -t [url]
, but fails when using it.
Steps to reproduce
docker run \
--interactive --tty --rm \
--volume "$PWD":/output \
-w /output \
-e DAST_WEBSITE=http://example.com
registry.gitlab.com/gitlab-org/security-products/dast:${VERSION:-latest} /analyze
Example Project
N/A
What is the current bug behavior?
will fail with:
Waiting for https://dev.gitlab.org/ to be available...
ZAP Baseline Scan started
Usage: zap-baseline.py -t <target> [options]
-t target target URL including the protocol, eg https://www.example.com
Options:
-h print this help message
[...]
What is the expected correct behavior?
Should scan http://example.com
Possible fixes
This is because of https://gitlab.com/gitlab-org/security-products/dast/blob/8edc7a8203638948fd1aacca28b2809ffd45bd76/analyze#L49
zap-baseline always expects a -t
parameter.