DAST for the master branch
In Auto DevOps, we run DAST only on feature branches, since we don't want to perform an attack against the production environment.
This is a safe approach, but so there is no DAST report we can compare to in the MR widget. It means that we cannot show new vulnerabilities introduced by our MR.
Also, we cannot know the current status for the
master branch, but we should check the report from the latest feature branch. This is complex and not easy to do.
It would be good to have DAST reports also for
master, so we can compare as we do for other security features.
Run DAST on
master. If we don't want to run against the production environment, we could consider some different approach, like having a test instance for that.