DAST and API Security both use DAST_API_OPENAPI environment variable

Problem 1

both dast and api-security rely on the environment variable DAST_API_OPENAPI, which may result in them interfering with one another if they're run in the same pipeline.

Example customer issue: https://gitlab.slack.com/archives/CKWJP0ZS7/p1658783175237079

Example of a configuration that no longer works, but is how we tell customers to configure things:

include:
  - template: DAST.gitlab-ci.yml
  - template: DAST-API.gitlab-ci.yml

stages:          # List of stages for jobs, and their order of execution
  - dast

variables:
  DAST_API_OPENAPI: https://myserver.com/api-docs
  DAST_API_TARGET_URL: https://myserver.com

  DAST_WEBSITE: https://myserver.com
  DAST_BROWSER_SCAN: "true"
  DAST_BROWSER_LOG: "brows:debug,auth:debug"
  DAST_BROWSER_NUMBER_OF_BROWSERS: "3"

Problem 2

dast previously supported DAST_API_SPECIFICATION but this was deprecated and subsequently removed in %15.0. the ci templates still rely on DAST_API_SPECIFICATION. this means that both DAST_API_SPECIFICATION and DAST_API_OPENAPI must be set to run an api scan with dast.

Possible Solutions

Option 1 -- Revert back to DAST_API_SPECIFICATION

Pros:

  • Keeps variable separation between DAST API and DAST
  • Allows both DAST and DAST API to be configured through global variables
  • Don't need to change how users are currently using DAST API
  • DAST_API_OPENAPI doesn't work with DAST yet due to lack of support in CI template, so minimal to no impact on DAST users

Cons:

  • ??

Reverting back to DAST_API_SPECIFICATION for DAST would entail the following work items:

  1. Update the DAST documentation, replacing DAST_API_OPENAPI with DAST_API_SPECIFICATION
  2. Update DAST container to revert back to using DAST_API_SPECIFICATION over DAST_API_OPENAPI

Option 2 -- Use DAST_API_OPENAPI in DAST

Pros:

  • ??

Cons:

  • Increase in customer issues because global configuration will no longer work
  • Requires changes to DAST API documentation
  • Global variable configuration no longer possible
  • Requires a change to DAST CI template

Using DAST_API_OPENAPI in DAST would entail the following work items:

  1. DAST -- Update CI template to use DAST_API_OPENAPI instead of DAST_API_SPECIFICATION
  2. DAST -- Update documentation to only show configuration through a dast job definition with variables section
  3. DAST -- Add troubleshooting section to address dast + dast_Api issues
  4. DAST -- Update all demo/example projects to use a dast job with variables section
  5. DAST API -- Update documentation to only show configuration through a dast_api job definition with variables section
  6. DAST API -- Add troubleshooting section to address dast + dast_Api issues
  7. DAST API -- Update all demos/examples to use a dast_api job with variables section
Edited by Michael Eddington