Pre scan verification mode for API Security
The On Demand API Scan feature allows running DAST API scans directly from the GitLab UX. When performing such a scan a user creates site profile with a number of configuration options that includes authentication, API specification document, and target URL. To improve the user experience, a new site validation feature is being added. This will allow users to quickly check if their configuration works without running a scan.
To support this work, API Security needs the ability to perform a verification process and report back success or failure to an internal API.
Proposal
Add a new mode of operation to API Security, site profile verification. This mode of operation will validate the following:
- Connection - API Security is able to connect to the provided target URL
- Authentication - API Security is able to authenticate to the provided target URL
- Crawling - API Security is able to load the API specification and call 3 operations
One method for performing this validation is to add a new mode of operation in which API Security will only perform a record phase, but exit record after N operations have been recorded.
Additionally, it must be possible to map errors encountered back to the three validation checks being performed.
Requirements
-
Support both DAST API and API Fuzzing modes of operation. -
Perform just the record phase with exit after N operations. -
Do not generate security report.
-
-
Identify if connection errors have occurred. -
Identify if authentication errors have occurred. -
Status code of operations indicates authentication issue. -
Overrides script fails in some way.
-
-
Identify is crawling errors have occurred. -
Unable to load API specification. -
For URLs, non-success status code. -
For files, file not found. -
API specification failed validation (in relaxed mode for OpenAPI). -
No operations identified.
-
-
-
Map errors back to one of: Connection, Authentication, or Crawling. -
On error include an actionable error message.
-
-
Submit validation results to new internal API (TBD). -
The format of the API call is being discussed in #366456
-
-
A new template Security/DAST-Prescan-Validation-API-Scan.yml
. This template will run DAST API in the site profile validation mode.-
The job name is validation
. -
The stage name is dast
. -
Same artifact collection rules as DAST API template. -
No report to generate or submit. -
No rules are needed
-