Skip to content
Snippets Groups Projects
Verified Commit 00c39369 authored by Jon Glassman's avatar Jon Glassman :raised_hands_tone2: Committed by GitLab
Browse files

Merge branch 'rd-499199-remove-mention-of-proxy-based-DAST' into 'master'

Remove mention of proxy-based DAST

See merge request !172215



Merged-by: default avatarJon Glassman <jglassman@gitlab.com>
Approved-by: default avatarDavid Nelson <dnelson@gitlab.com>
Approved-by: default avatarJon Glassman <jglassman@gitlab.com>
Reviewed-by: default avatarDavid Nelson <dnelson@gitlab.com>
Co-authored-by: default avatarRussell Dickenson <rdickenson@gitlab.com>
parents 2997d531 4ee6929d
No related branches found
No related tags found
1 merge request!172215Remove mention of proxy-based DAST
Pipeline #1540276786 passed
Pipeline: E2E Omnibus GitLab EE

#1540323806

    Pipeline: E2E CNG

    #1540323549

      Pipeline: E2E GDK

      #1540299625

        +30
        ......@@ -62,7 +62,6 @@ listed here that also do not work properly in FIPS mode:
        - [Container Scanning](../user/application_security/container_scanning/index.md) support for scanning images in repositories that require authentication.
        - [Code Quality](../ci/testing/code_quality.md) does not support operating in FIPS-compliant mode.
        - [Dependency scanning](../user/application_security/dependency_scanning/index.md) support for Gradle.
        - [Dynamic Application Security Testing (DAST)](../user/application_security/dast/proxy-based.md) supports a reduced set of analyzers. The proxy-based analyzer and on-demand scanning is not available in FIPS mode today, however browser-based DAST, API security testing, and API fuzzing images are available.
        - [Solutions for vulnerabilities](../user/application_security/vulnerabilities/index.md#resolve-a-vulnerability)
        for yarn projects.
        - [Static Application Security Testing (SAST)](../user/application_security/sast/index.md)
        ......
        ......@@ -33,10 +33,11 @@ type: reference, howto
        ## Recommendations
        - Configure runners to use the [always pull policy](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy) to run the latest versions of the analyzers.
        - By default, API Fuzzing downloads all artifacts defined by previous jobs in the pipeline. If
        your API Fuzzing job does not rely on `environment_url.txt` to define the URL under test or any other files created
        in previous jobs, we recommend you don't download artifacts. To avoid downloading
        artifacts, extend the analyzer CI/CD job to specify no dependencies. For example, for the DAST proxy-based analyzer add the following to your `.gitlab-ci.yml` file:
        - By default, API Fuzzing downloads all artifacts defined by previous jobs in the pipeline. If your
        API Fuzzing job does not rely on `environment_url.txt` to define the URL under test or any other
        files created in previous jobs, you should not download artifacts. To avoid downloading artifacts,
        extend the analyzer CI/CD job to specify no dependencies. For example, for the API fuzzing
        analyzer, add the following to your `.gitlab-ci.yml` file:
        ```yaml
        apifuzzer_fuzz:
        ......
        ......@@ -33,10 +33,11 @@ type: reference, howto
        ## Recommendations
        - Configure runners to use the [always pull policy](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy) to run the latest versions of the analyzers.
        - By default, API security testing downloads all artifacts defined by previous jobs in the pipeline. If
        your DAST job does not rely on `environment_url.txt` to define the URL under test or any other files created
        in previous jobs, we recommend you don't download artifacts. To avoid downloading
        artifacts, extend the analyzer CI/CD job to specify no dependencies. For example, for the DAST proxy-based analyzer add the following to your `.gitlab-ci.yml` file:
        - By default, API security testing downloads all artifacts defined by previous jobs in the pipeline.
        If your DAST job does not rely on `environment_url.txt` to define the URL under test or any other
        files created in previous jobs, you should not download artifacts. To avoid downloading artifacts,
        extend the analyzer CI/CD job to specify no dependencies. For example, for the API security
        testing analyzer, add the following to your `.gitlab-ci.yml` file:
        ```yaml
        api_security:
        ......
        ......@@ -18,7 +18,7 @@ Only run DAST scans against a test server.
        ## On-demand scans
        > - Runner tags selection [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111499) in GitLab 16.3.
        > - Browser based on-demand DAST scans available from GitLab 17.0 since [proxy-based DAST was removed in the same version](../../../update/deprecations.md#proxy-based-dast-deprecated).
        > - Browser based on-demand DAST scans available in GitLab 17.0 and later because [proxy-based DAST was removed in the same version](../../../update/deprecations.md#proxy-based-dast-deprecated).
        An on-demand DAST scan runs outside the DevOps lifecycle. Changes in your repository don't trigger
        the scan. You must either start it manually, or schedule it to run. For on-demand DAST scans,
        ......
        ......@@ -115,7 +115,7 @@ The following vulnerability scanners and their databases are regularly updated:
        |:----------------------------------------------------------------|:---------------------------------|
        | [Container Scanning](container_scanning/index.md) | A job runs on a daily basis to build new images with the latest vulnerability database updates from the upstream scanner. GitLab monitors this job through an internal alert that tells the engineering team when the database becomes more than 48 hours old. For more information, see the [Vulnerabilities database update](container_scanning/index.md#vulnerabilities-database). |
        | [Dependency Scanning](dependency_scanning/index.md) | Relies on the [GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db). It is updated on a daily basis using [data from NVD, the `ruby-advisory-db` and the GitHub Advisory Database as data sources](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/SOURCES.md). |
        | [Dynamic Application Security Testing (DAST)](dast/index.md) | [DAST proxy-based](dast/browser/index.md) and [browser-based](dast/browser/index.md) engines are updated on a periodic basis. [DAST proxy-based](dast/browser/index.md) analyzer downloads the scanning rules at scan runtime. See the [version of the underlying tool `zaproxy`](https://gitlab.com/gitlab-org/security-products/dast/blob/main/Dockerfile#L27). [DAST browser-based](dast/browser/index.md) rules run [different vulnerability checks](dast/browser/checks/index.md). |
        | [Dynamic Application Security Testing (DAST)](dast/index.md) | [DAST](dast/browser/index.md) analyzer is updated on a periodic basis. |
        | [Secret Detection](secret_detection/pipeline/index.md#detected-secrets) | GitLab maintains the [detection rules](secret_detection/pipeline/index.md#detected-secrets) and [accepts community contributions](secret_detection/pipeline/index.md#add-new-patterns). The scanning engine is updated at least once per month if a relevant update is available. |
        | [Static Application Security Testing (SAST)](sast/index.md) | The source of scan rules depends on which [analyzer](sast/analyzers.md) is used for each [supported programming language](sast/index.md#supported-languages-and-frameworks). GitLab maintains a ruleset for the Semgrep-based analyzer and updates it regularly based on internal research and user feedback. For other analyzers, the ruleset is sourced from the upstream open-source scanner. Each analyzer is updated at least once per month if a relevant update is available. |
        ......
        0% Loading or .
        You are about to add 0 people to the discussion. Proceed with caution.
        Finish editing this message first!
        Please register or to comment