Disable the DAST spider and provide list of urls to scan

Problem to solve

Users sometimes want to scan only a specific set of URLs, instead of having the scan spider their entire app. This would allow for more targeted, quicker scans of the application when they know the branch being scanned only applies to specific areas of the app.

Implementation plan

• Create a multi-page website fixture
• Implement Passive Scan !284
• Implement Active Scan !293
• Change DAST_URLS to DAST_PATHS. DAST_PATHS should only not include the host and should work with the DAST_WEBSITE to make the full URL. This will allow users to use review apps without having to reset the DAST_URLS in a before_script. !300
• Add documentation !41727 (merged)

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)
• Simone (Software Engineer in Test)

Further details

Proposal

Assuming that this is supported by ZAP, I believe that we should do two things to support this feature:

1. Add an environment variable to disable spidering
2. Support multiple URLs (comma-delimited) in the DAST_WEBSITE environment variable.
3. or a text file with urls

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references