On-demand DAST scans (The post MVC exploration)
Problem to solve
As a user, I would like to be able to scan my site or application for DAST vulnerabilities without having to create an MR and trigger a pipeline to run, so that I can reproduce and evaluate vulnerabilities on demand.
Intended users
Further details
A major feature that GitLab is lacking is the ability to run one-off on-demand DAST scans. This is the main way that most DAST users began scanning their products. Pipeline integration for DAST is an amazing DevSecOps tool, but without the ability to reproduce and validate the vulnerabilities or scan sites on a schedule, we will always be behind the industry standards for a DAST tool. We need to be able to have follow a workflow like the following:
- Add a URL to be scanned
- Set the configuration for the scan using configuration profiles
- Assign the branch that is deployed on the infrastructure to be scanned (so we can catalogue the results with the rest of the pipeline results)
- View the results for the scan
Each of these areas has more detail that would need to be worked through, but the basic workflow should be something similar to this.
Another area that this will provide help is in DAST adoption within GitLab. A pain point of many DAST customers is the difficulty of integrating DAST into their DevOps lifecycle, especially when they are not using kubernetes clusters and review apps. This will allow these users to start, and eventually schedule, DAST scans to a pre-deployed environment (like a staging server) so they can start to see the benefit of running DAST scans and having it integrated into their pipeline.
Proposal
We will solve the problem by providing users a way to start an on-demand DAST scan and view the results.
Permissions and Security
Documentation
The feature would need a new section in the DAST documentation. Theoretically, there could be two top level sections, one for pipeline DAST runs and another for On-demand DAST scans.