Add the scanned resources to the DAST Security Reports

Blocked by #37123 (closed)

Problem to solve

We currently don't provide coverage data for our Security scans. Users can't assess which components of their application have been ~~tested~~ scanned or not.

Intended users

Sam (Security Analyst)

Further details

The security reports currently provide information about which resources are vulnerable, but they don't allow to validate that a given resource has been scanned and no known vulnerabilities were found for it.

Proposal

As this information is specific to a given execution of an analyzer, they should suit into the new scan object:

{
  "scan": [
    "scanned_resources": []
  ]
}

This allows keeping this information contextual when aggregating multiple reports of the same type at the end of the pipeline.

These properties would be arrays containing resources. A resource would be a typed object to cover different kinds of report. e.g.

{
  "method": "GET"
  "type": "url",
  "value": "https://foo.com/bar
}

{
  "type": "file",
  "value": "foo/bar.rb"
},

We have to consider how to represent the different types of resources for all our report types: SAST, Dependency Scanning, Container Scanning, DAST.

Add the scanned resources to the DAST Security Reports

Blocked by #37123 (closed)

Problem to solve

Intended users

Further details

Proposal

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Links / references