Move DAST owasp ZAP scanner image to Free/Premium
Proposal
Allow GL Free/Premium edition users to use image
registry.gitlab.com/gitlab-org/security-products/dast
in their CI.
By removing the check in script https://gitlab.com/gitlab-org/security-products/dast/-/blob/main/analyze#L9
Context
Here is the result if we use image in our GitLab Premium without any changes, it seems to work to block no-ultimate users:
I copy the check code here:
if [ -n "$GITLAB_FEATURES" ] && [[ "$GITLAB_FEATURES" != *"dast"* ]]; then
echo "Error: Your GitLab project is not licensed for DAST."
exit 1
fi
From my point of view, this control is NOT well designed and even add more troubles to users who want to use it in no-ultimate instance:
- The image is based on open source solution Owasp ZAP and the gitlab dast project is alse open source, every one can fork and modify the code to remove the control from the script and build a new image to use without GitLab Ultimate.
- This image can be used in no-gitlab environment, because there is no
GITLAB_FEATURES
predefined ENV. But we can not use it in GitLab, what is the logic? - The check is not enough. It's even a bug check. Every one can overwrite the
GITLAB_FEATURES
in .gitlab-ci.yml withexport GITLAB_FEATURES=
to bypass the check orexport GITLAB_FEATURES=$GITLAB_FEATURES:dast_for_free
- Users can overwrite totally the script in .gitlab-ci.yml to bypass the control.
- It's not possible from your side to just limit Ultimate user to use a customized Owasp ZAP image. Because GitLab-CI can support any customized DAST image to run test and generate report.
- From GitLab side, you could only control on server side, ex: disable the report intergration feature for no-ultimate subscription.
I show you serveral ways to bypass the check and the raison that the commercial model of this image is Bad.
Solution
I propose you to do the same as GitLab SAST https://docs.gitlab.com/ee/user/application_security/sast/#summary-of-features-per-tier
The change is easy and fast, just remove the check from the script and communicate to users that DAST scanner image is moved to Free/Premium.
Hey guys, Chrismas is arriving you could make the "bug" to a gift.
regards