Artifacts created by ZAP can be published as CI Job Artifacts
Problem to solve
Files generated by ZAP are not automatically able to be published as artifacts on the CI job. This issue aims to make them automatically available by copying them to the current working directory at the end of the job.
Example
Users can generate Markdown/HTML/XML versions of the report produced by ZAP. To get this file, users need to overwrite the script
variable to pass in the report CLI arguments. Files must then be copied from the ZAP work directory into the current directory. It is not clear to the users that this latter task is required. It is not intuitive, nor is it documented (as demonstrated in #198091 (closed)). We can make this much easier to configure.
From a DAST Engineer perspective, while it is a great workaround, ideally we don't want users overwriting the script
. This is because the DAST team might need to change the contents of the script, in which case the user's pipelines might break when they next upgrade GitLab.
This example leads to the following configuration:
include:
template: DAST.gitlab-ci.yml
dast:
script:
- export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}
- /analyze -r report.html -t $DAST_WEBSITE
- cp /zap/wrk/report.html "$PWD"
artifacts:
paths: [report.html]
Proposal
- #12652 (closed) will allow the user to use environment variables to generate reports
- An
after_script
will be added to the CI template DAST.gitlab-ci.yml that copies all artifacts in the/zap/wrk
directory to the current directory. This runs on success/failure of the CI job.
The previous example configuration would then look something like:
include:
template: DAST.gitlab-ci.yml
dast:
variables:
DAST_ZAP_HTML_REPORT: report.html
artifacts:
paths: [report.html]
This solution is likely useful for situations other than reports. For example, the -g
option generates a configuration file. This is also outputted by ZAP into the work directory.
Intended users
What is the type of buyer?
/cc @sethgitlab /cc @derekferguson