DAST Site Profile Validation Fails with Self-Signed Certificates

Summary

A US Federal customer reported that DAST site profile validation fails to call the coordinator when using self-signed certificates.

• US Federal ticket (Internal access to verified US Citizens only)
• SFDC (internal)

Steps to reproduce

1. Use a self-signed certificate with the coordinator and Runner
2. Add a site for site profile validation

Example Project

N/A

What is the current bug behavior?

The dast-runner-validation job fails on validate.sh#L21 when configuring self-signed certificates with GitLab.

What is the expected correct behavior?

The dast-site-validation job should be able to utilize self-signed certificates to contact the coordinator

Relevant logs and/or screenshots

+ call_gitlab start
+ local url=https://<domain>/api/v4/internal/dast/site_validations/1/transition
+ curl --fail --request POST --data '{"event":"start"}' --header 'JOB-TOKEN: [MASKED]' https://<domain>/api/v4/internal/dast/site_validations/1/transition --header 'Content-Type: application/json'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

Possible fixes

We could use the -k flag to allow the curl to run insecure, however, this breaks security.