DAST should get the URL for an environment to scan from a dotenv file

Problem to solve

In GitLab 12.9, support was added to Review Apps for dynamic environments:

review:
  script:
    - DYNAMIC_ENVIRONMENT_URL=$(deploy-script)                                 # In script, get the environment URL.
    - echo "DYNAMIC_ENVIRONMENT_URL=$DYNAMIC_ENVIRONMENT_URL" >> deploy.env    # Add the value to a dotenv file.
  artifacts:
    reports:
      dotenv: deploy.env    

At the time of writing, the DAST Target Website can be supplied using the following strategies:

• The DAST_WEBSITE environment variable can be set
• A file called environment_url.txt can contain the URL (this can be a Job Artifact from a previous build, or part of the user's repository)
• The script section of the dast job can be overwritten, and the Website can be passed in using -t

Adding the ability to use previously defined dotenv report files to configure the DAST Website may be a nice quality of life change for users who adopt this functionality.

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

Further details

• This is likely a better replacement for the current environment_url.txt file strategy, as many variables can be defined in one file
• If DAST_WEBSITE is defined in the file, it may work already
• It may be that there emerges a convention to set the environment url in a specific variable, e.g. ENVIRONMENT_URL. If so, DAST should use this variable.
• It is likely worth prioritizing approaches to set the DAST target and documenting the order of priority.
• It is likely worth considering extracting the host/port from the environment URL and automatically setting the DAST_API_HOST_OVERRIDE. That way, if the user decides to run an API scan the host is set correctly.

Proposal

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references