Disable the DAST spider and provide list of urls to scan
Problem to solve
Users sometimes want to scan only a specific set of URLs, instead of having the scan spider their entire app. This would allow for more targeted, quicker scans of the application when they know the branch being scanned only applies to specific areas of the app.
Implementation plan
-
Create a multi-page website fixture -
Implement Passive Scan !284 -
Implement Active Scan !293 -
Change DAST_URLS
toDAST_PATHS
.DAST_PATHS
should only not include the host and should work with theDAST_WEBSITE
to make the full URL. This will allow users to use review apps without having to reset theDAST_URLS
in abefore_script
. !300 -
Add documentation !41727 (merged)
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Sam (Security Analyst)
- Simone (Software Engineer in Test)
Further details
Proposal
Assuming that this is supported by ZAP, I believe that we should do two things to support this feature:
- Add an environment variable to disable spidering
- Support multiple URLs (comma-delimited) in the
DAST_WEBSITE
environment variable. - or a text file with urls
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Edited by Craig Smith