Allow DAST_PATHS_FILE to be an artifact
Release notes
Problem to solve
DAST_PATHS_FILE is only accessible from the /zap/wrk directory. This means the list of URLs to scan must be generated and committed to the project repository. However, it's not always possible to generate this list beforehand and so it's necessary to allow users to generate the file as an artifact and then reference that artifact using DAST_PATHS_FILE.
See 45114#note_433171269 for the full conversation.
Intended users
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Alex (Security Operations Engineer)
- Simone (Software Engineer in Test)
- Allison (Application Ops)
- Priyanka (Platform Engineer)
Proposal
DAST_PATHS_FILE should look in both the /builds directory and /zap/wrk directory.
If DAST_PATHS_FILE is set to urls_to_scan.txt, DAST would look for the file /build/urls_to_scan.txt then if that file doesn't exist, look in /zap/wrk/urls_to_scan.txt
Documentation
The DAST docs should be updated to mention that DAST_PATHS_FILE will look in the /builds directory