DAST without Review Apps

Problem to solve

As a Developer, I want to run DAST without setting up a whole Kubernetes cluster and Review Apps in GitLab.

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)

Further details

DAST requires a target URL (DAST_WEBSITE), which also means an up-and-running instance of the application. This is the purpose of review apps, but they can be hard to set up for smaller teams without Kubernetes clusters available.

Proposal

This issue is to brainstorm on other possibilities, especially if a docker-compose.yml is available in the repo. While we can't have a job running the application (because jobs need to end eventually), there's maybe something else we could imagine to start the required containers.

Note that we can't run docker-compose up within the dast job, as the image doesn't contain docker, and the job is not running on privileged runners necessarily.

We could use services, where the service image would be the one build earlier in the pipeline, but it won't probably work well if multiple pipelines run for the same branch.

Permissions and Security

TBD

Documentation

https://docs.gitlab.com/ee/user/project/merge_requests/dast.html to be updated.

Availability & Testing

This can actually ease the testing of DAST, since it would run without review apps.

What does success look like, and how can we measure that?

• Users can get started with DAST faster
• More DAST reports

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

No

Links / references

/cc @dappelt following our discussion /cc @derekferguson @sethgitlab /cc @wichers