Save and display DAST site tree artifact

Problem to solve

Site tree from DAST execution is not available in GitLab to analyze exactly what was scanned by DAST

Intended users

• Sam (Security Analyst)

Further details

Security Analysts using GitLab may need to see more details of what was scanned to be sure from a governance and compliance perspective that:

1. The entire surface was scanned.
2. No paths were left out inadvertantly
3. Be able to compare between scans to see what may have changed and so keep track of new vulnerabilities for posterity.

Proposal

Currently one has to look at the DAST log file to see what the output is and identify the site tree. while this is good to have, it should be brought forward to the GitLab UI so that it becomes part of the vulnerability management process. Security dashboard tied to the pipeline must have this as an added DAST artifact. Project Security dashboard should reflect the last complete scan site tree for DAST. Group security dashboard doesn’t need to show this.

Permissions and Security

Same as Security Dashboard

Documentation

Documents that will need to be updated: https://docs.gitlab.com/ee/user/application_security/dast/ https://docs.gitlab.com/ee/user/application_security/security_dashboard/index.html

Testing

What does success look like, and how can we measure that?

Security analyst can fully adopt the GitLab Secure DAST dashboard if given proper view and access to scan artifacts. currently, a lot of details are lost in the docker run if DAST and not incorporated into the GitLab architecture.

What is the type of buyer?

Ultimate

Links / references