Disable individual rules/scanners in DAST Scanner (#118641) · Issues · GitLab.org / GitLab

Disable individual rules/scanners in DAST Scanner

Problem to solve

Occasionally, given a certain site running in a particular environment, a ZAP rule will always produce a vulnerability even though the users knows it is a false positive. The user may wish to disable the particular rule.

Intended users

Further details

This has been verified that it is useful to users in the following ZAP user forum thread https://groups.google.com/forum/#!topic/zaproxy-users/p1aXvO6oWu4.

The DAST team have encountered problems with dynamic data in end to end tests that would also be solved by this issue.

Proposal

A command line argument should be provided at DAST runtime of scanner rule ID's to exclude. There should also be a way of finding out what IDs are possible to provide.

Documentation

Documentation should provide users the understand on how to use the feature.

What is the type of buyer?

Ultimate

### Problem to solve

### Intended users
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)

### Further details

This has been verified that it is useful to users in the following ZAP user forum thread https://groups.google.com/forum/#!topic/zaproxy-users/p1aXvO6oWu4.

The DAST team have encountered problems with dynamic data in end to end tests that would also be solved by this issue.

### Proposal
A command line argument should be provided at DAST runtime of scanner rule ID's to exclude. There should also be a way of finding out what IDs are possible to provide.

### Documentation

Documentation should provide users the understand on how to use the feature.

### What is the type of buyer?

[Ultimate](https://about.gitlab.com/handbook/product/pricing/#four-tiers)

Edited Dec 20, 2019 by Seth Berger

Discussion
Designs