Skip to content

Use DAST Scan profiles from filesystem

Problem to solve

To simplify the configuration of DAST for customers, users can configure scan profiles(environment variables and other settings) and save those profiles in a dedicated settings yaml file that is located in the same folder in the repository as their .gitlab-ci.yml file. This eliminates the need for the user to configure lots of environment variables in the .gitlab-ci.yml file, and also permits the user to set up multiple settings files and reuse those settings files.

The following YAML snippet should pull the DAST scan settings from a yaml file. If values are also set in the .gitlab-ci.yml YAML files, the .gitlab-ci.yml values should override the values from the settings file.

include:
  - template: DAST.gitlab-ci.yml

variables:
  DAST_CONFIGURATION_SETTINGS: profile1.yml

User experience goal

  • Simplify the setup of DAST.
  • Allow the user to easily maintain and reuse various scan profiles.

Documentation

The DAST documentation should be updated describing this functionality.

Is this a cross-stage feature?

This design pattern and usage should be consistent across other secure analyzers

Implementation Notes

When the analyzer loads, the analyzer will parse the referenced settings file. The referenced settings file is used by the analyzer not by the runner.

If the profile1.yml is not found the job should fail.

The YAML file will be merged with the values that have been written directly to the .gitlab-ci.yml file.

The merged values will then be used by the analyzer.

Because this work is done at the Analyzer level and not the runner level, it allows a more flexible structure to the yaml files.

Why not use default include functionality

GitLab CI/CD supports yaml includes.. The includes will not solve the problem of setting file reuse. For example if the user wants the following configuration, it would not be possible using includes, since the include files would have to be hard-coded to reference dast_job1 and dast_job2.

dast_job1:
  stage: dast
  variables:
    DAST_CONFIGURATION_SETTINGS: profile1.yml  
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/dast:1"
  script:
      - /analyze
  artifacts:
    reports:
      dast: gl-dast-report.json

dast_job2:
  stage: dast
  variables:
    DAST_CONFIGURATION_SETTINGS: profile2.yml  
  image:
    name: "registry.gitlab.com/gitlab-org/security-products/dast:1"
  script:
      - /analyze
  artifacts:
    reports:
      dast: gl-dast-report.json
Edited by Seth Berger