DAST Scan profile configuration design
Problem to solve
As a DAST user, I want to be able to create multiple scan profiles so that I can quickly assign commonly used scan configurations to a scan, rather than building it up and replacing the previous config every time I run a scan.
Intended users
User experience goal
The user should be able to use the UI to create multiple scan configs and save those for use on any DAST scan that they might perform.
Proposal
This config page should live somewhere other than the Asynchronous scan page. It makes sense to have it under "Security & Compliance" -> "Configuration", but other locations can be considered, if they make sense. On this page, the user should be able to create a new profile, delete a profile, or edit a profile. The configuration options for the profile are currently environment variables. These will be translated into UI presentable options.
- TARGET_AVAILABLILITY_TIMEOUT
- FULL_SCAN_ENABLED
- FULL_SCAN_DOMAIN_VALIDATION_REQUIRED
- AUTO_UPDATE_ADDONS
- ZAP_USE_AJAX_SPIDER
- EXCLUDE_RULES
- ZAP_SPIDER_MINS
- ZAP_HTML_REPORT
- ZAP_MARKDOWN_REPORT
- ZAP_XML_REPORT
- ZAP_INCLUDE_ALPHA_RULES
- ZAP_USE_AJAX_SPIDER
- ZAP_CLI_OPTIONS
- ZAP_DEBUG
- ZAP_DELAY_PASSIVE_SCAN_SECONDS
In order to get all of the UI options correct and work through validation, we will use this spreadsheet to document what will be available in the profile.
Design:
- Creation scan profile flow:
- Creation site profile during the creation of on-demand scan: