Remove support for DAST_ variables in worker-entry
Problem
The DAST analyzer has been handling both website/webapp and webapi testing. Existing users configure API scans using a sub-set of the DAST configuration variables. During our development of DAST API, backwards support for the API related DAST_
variables was wanted, and support was added from some of them. This was to enable a transparent migration of users and also on-demand scans. However, as development proceeded it became clear that we should have separation between the two variable sets, ci templates, etc. DAST API configuration now occurs through DAST_API_
prefixed variables, different CI templates, etc.
With the work done on the on-demand scans to allow using DAST API instead of DAST for API related scans, the code doesn't cleanly set only DAST_
or DAST_API_
variables. It is expected that the resulting configuration will contain both DAST_
and DAST_API_
prefixed variables. This wouldn't be a problem, except, the API Security code still contains support for some of the DAST_
variables. This could pose a problem at some point.
The more pressing concern as we head towards a general release is users who use both analyzers. Consider this case: A user who has DAST configured with active scans with variables set globally (very common), adds in DAST API in passive mode to give it a shot. By supporting DAST_FULL_SCAN_ENABLED
we might run an active scan instead of passive.
Proposal
Remove the three DAST_
variables from worker-entry
. The variables have never been documented and pose a risk for users who use both DAST and DAST API, or on-demand scans. While on-demand scans will work in their current form, future changes could cause problems.
The most dangerous variable to keep is DAST_FULL_SCAN_ENABLED
. A user who has both DAST and DAST API configured could set this variable globally, inadvertently affecting DAST API scans.
Variables to be removed:
-
DAST_HOST_OVERRIDE
(will continue to be available asDAST_API_HOST_OVERRIDE
) -
DAST_REQUEST_HEADERS
(will continue to be available asDAST_API_REQUEST_HEADERS
) DAST_FULL_SCAN_ENABLED