Support IAST vulnerabilities
Problem to solve
Users would like to add vulnerabilities in GitLab that are not falling under the current categories (SAST, Dependency Scanning, etc.). In this issue, vulnerabilities are from an IAST scanner.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sam (Security Analyst)
Further details
Some findings could be kind of transformed to SAST ones, but they would lack fields specific to IAST. We can't create a generic issue to add all kinds of vulnerabilities, as we need to store the data, and render it correctly.
Proposal
Supporting IAST means
- creating a new common format
- be able to parse it and store the data
- render the data correctly in the UI
Therefore, users would have the ability to create jobs like:
custom_IAST:
stage: test
image: someimage
script:
- do stuff
artifacts:
reports:
iast: iast-report.json
Using the API is different, as these results should be used in the Merge Request Security Widget as well.
Permissions and Security
As it would occur in the pipeline only, same as SAST, Dependency Scanning, etc.
Documentation
Create a page for IAST, just containing the json format until https://about.gitlab.com/direction/secure/dynamic-analysis/iast/ is released.
Availability & Testing
TBD
What does success look like, and how can we measure that?
- Number of findings of type IAST