Change DAST On-demand API Scanning Engine

Overview

As part of on-demand scans, users can run an API scan through a web interface. The On-demand process uses the OnDemand yaml file, https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml.

Since the API Security tool is almost ready to roll out as the default API scanner, the template above should be updated to use the API Security DAST scanner instead of the zap engine.

Implementation

In order to switch over, a few frontend changes need to be put in place. This design issue details the changes.

Both frontend and backend work will need to be done in order to make the switch.

  • Change "Rest API" to "API"
  • Change Target URL to "API Endpoint URL"
  • Add radio button for "Perform testing using:" OpenAPI, HAR, Postman
    • Only 1 of the 3 path fields would show up depending on the status of the radio button
    • Add Input field for HAR File Path [ ]
    • Add Input field for OpenAPI File Path or URL [ ]
    • Add Input field for Postman File Path [ ]
  • Change excluded URLS to Excluded Paths

In addition, passive and active attack profiles will need to be built for the API Security engine.

The on-demand web interface encrypts and encodes sensitive variables. The following code will need to be added to the API Security engine, gitlab-org/security-products/dast!418 (merged), to ensure it can read environment variables properly.

Implementation plan

Task # Issue Description Department
1 #327070 (closed) Change DAST On-demand API Scanning Engine backend
2 #350735 (closed) Frontend changes for API Security frontend
3 #352625 (closed) Documentation related updates documentation
4 #345837 (closed) Feature flag rollout feature flag

Decisions

Feature Flag

All related changes should be released with dast_api_scanner feature flag

GraphQL

DastSiteProfileCreateInput & dastSiteProfileUpdateInput

The DastSiteProfileCreateInput and dastSiteProfileUpdateInput GraphQL types need to be extended to support the new scan method option.

  • scanMethod - Type::ScanMethodEnum
  • scanFilePath - Type::String

ScanMethodEnum is a new Enum to identify the scan method to be used for the API Scan. The values for the enum are

  • OPENAPI
  • POSTMAN_COLLECTION
  • HAR

dastSiteProfiles Query

project(fullPath: $fullPath) {
    dastSiteProfiles(...) {
      nodes {
         id
         profileName
         normalizedTargetUrl
         targetUrl
         targetType
+        scanMethod
+        scanFilePath
      }
    }
  }
Edited by Dheeraj Joshi