DAST On-demand scans MVC - Design
Problem to solve
As a security professional, I want to scan web applications that are deployed throughout my organization, so that I can validate the security of my site outside of code changes and MRs.
Intended users
User experience goal
The goal is to introduce our users to DAST scans that run outside of the typical MR workflow. They are on-demand scans that will allow users to validate issues when there are no code changes or allow for security professionals who do not commit code to use GitLab for their DAST testing needs.
Proposal
As an MVC, this feature would introduce on-demand scans by adding a page where a user can specify the target URL and start a scan. The scan would use the passive mode to scan the site for 60 seconds. Once the user starts the scan, we can redirect them to the pipeline page to show the job running. These jobs will always be associated with the default or master branch and the results can be seen in the project dashboard or the pipeline dashboard.
Further details
Permissions and Security
Documentation
An "On-demand scans" section will need to be added to the DAST docs at https://docs.gitlab.com/ee/user/application_security/dast/