The GitLab Security department has implemented DAST scans for the main GitLab application, so DAST is being dogfooded for the areas that we currently support. There are still areas within GitLab that are not scanned by DAST because DAST does not support them, such as CLI tools. These are areas that DAST will never support, as there is no interface that our DAST implementation can scan.
DAST API is also not being widely used to scan because there is no central API management. It is up to each team to scan their own APIs. The lack of an OpenAPI spec for our REST API has caused the effort to be blocked during implementation. Also, as GraphQL endpoints evolve with each milestone, it is necessary for the engineering teams to add and change DAST API jobs for their own areas.
Problem to solve
While DAST is being utilized to the best of its ability at this point, DAST API is under utilized. More effort should be put into getting DAST API adoption at the individual engineering team level.
A cross-stage effort should be started to formalize an OpenAPI spec by having each team document their areas. This could then be implemented at a central level or be used by individual teams to scan their areas as they commit features.