Update DAST airgapped to not override the script
The current DAST documentation recommends overriding the script value to run the tool in air gapped mode. https://docs.gitlab.com/ee/user/application_security/dast/#running-dast-in-an-offline-air-gapped-installation
This should be changed so that the script value is not changed and only an environment variable is set. Then inside the template the environment variable is used to determine how to call the analyzer.
This will reduce the complexity of the setup for customers and allow the template script value to change without concern that users are overriding the value.
As is
To create air-gapped support, users must override and copy the script:
include:
- template: DAST.gitlab-ci.yml
dast:
image: registry.example.com/namespace/dast:latest
script:
- export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}
- /analyze -t $DAST_WEBSITE --auto-update-addons false -z"-silent"
Proposal
- When
auto-update-addons
is configured tofalse
, DAST automatically applies the-silent
ZAP configuration. - An environment variable alias is added for
DAST_AUTO_UPDATE_ADDONS
. This could be calledDAST_OFFLINE_MODE
to clearly capture the intent of what it does. - In a future release, deprecate the use of the
DAST_AUTO_UPDATE_ADDONS
environment variable name. Add this to #211881 (closed)
This would lead to the following configuration for offline DAST
include:
- template: DAST.gitlab-ci.yml
variables:
DAST_OFFLINE_MODE: true
The image:
does not need to get set because this MR, will resolve updating the image.
!28617 (merged)