Move dast project to analyzers/dast
Problem to solve
DAST feature is currently relying on one unique tool called ZAProxy. Like other security features before, this tool is wrapped in a single "top-level" project: https://gitlab.com/gitlab-org/security-products/dast.
Though, while we've migrated all tools to dedicated analyzers, we haven't done it yet for dast (nor for license-management which has its own issue).
This creates inconsistencies that block stage wide initiatives in UX and engineering.
Intended users
Further details
Even if we have a single tool to provide dast today, we might replace it or add new ones someday. We also want to support 3rd party integrations so moving to an architecture that is made for it will make things simpler for everyone.
Proposal
The initial proposal was to move to https://gitlab.com/gitlab-org/security-products/analyzers/zaproxy but the discussions led to doubt about this being a good direction for dast. In the end, the project will move under analyzers/dast
.
-
-
in %13.0 initiate the migration from a user perspective: -
create https://gitlab.com/gitlab-org/security-products/analyzers/dast project, with just a README -
add instructions in the current release job for current dast project to create docker image tag aliases and push additionality under https://gitlab.com/gitlab-org/security-products/analyzers/dast
-
update the vendored templates and documentation to point to the new image -
deprecate the usage of docker images under https://gitlab.com/gitlab-org/security-products/dast
in documentation
-
-
-
-
whenever DA team has time, effectively migrate the content of dast project into the new location: https://gitlab.com/gitlab-org/security-products/analyzers/dast -
clone repo under the new project -
update any script pointing to old dast repo -
remove content from the old repo, prevent write on the git repo -
keep pushing images under that "security-products/dast" namespace registry for backward compatibility
-
-
-
-
in %14.0 or before if we agree on doing a breaking change in a minor release: -
stop pushing images under the old "security-products/dast" registry -
archive "security-products/dast" project -
clean the documentation
-
-