Offline environment support for API fuzz testing
Problem
Fuzz testing is not included in the various areas for offline environment support for GitLab. This means users have to be connected to the internet, which is not ideal for certain users.
Proposal
Add offline environment support for fuzz testing, to allow users to use fuzz testing if they are not connected to the internet. This should be done in a similar way that was done for the other scanners where possible.
This includes:
-
Update API Fuzzing template API-Fuzzing.gitlab-ci.yml
to expose a variable to:Set the Docker registry base address from which to download the analyzer.
-
Update latest template API-Fuzzing.latest.gitlab-ci.yml
-
Update template, add a variable called SECURE_ANALYZERS_PREFIX
as suggested in Using the secure bundle created -
Update unit tests for template API-Fuzzing.gitlab-ci.yml
-
Update documentation for supported variables in Web API Fuzzing. Add a link to Offline deployments
-
-
Update the Secure-Binaries template for any needed images. -
Include api_fuzzing
in the list of values inSECURE_BINARIES_ANALYZERS
. -
Check SECURE_BINARIES_ANALYZER_VERSION
sets the correct image version -
Under DAST
header add a new entry to downloadapi_fuzzing
image. UpdateSECURE_BINARIES_ANALYZER_VERSION
to match version ofFUZZAPI_VERSION
from API-Fuzzing.gitlab-ci.ymlfuzz: extends: .download_images variables: SECURE_BINARIES_ANALYZER_VERSION: "1" only: variables: - $SECURE_BINARIES_DOWNLOAD_IMAGES == "true" && $SECURE_BINARIES_ANALYZERS =~ /\bapi_fuzzing\b/
-
-
Update documentation
-
Add documentation in Web API Fuzzing -
Add section about: Running Web API Fuzz in an offline environment
, e.g. Similar to DAST documentation
-
- [-] Update the offline environment documentation to describe the needed steps
SECURE_ANALYZERS_PREFIX
- [-] Add entry for Specific scanner instructions
-