Use Project Environments as DAST Site Targets

Proposal

DAST should be able to use an Environment as a target for a scan.

Environments describe where code is deployed. A deployment location of a site, as a target, is one of the inputs of a DAST Scan.

1. Static Environments: DAST Site Profiles should be able to use the URL from an existing Environment
2. Dynamic Environments: Typically used in the context of a "Review App", a temporary deployment to test the code for a given branch. In this case, a new DAST template can be provided to run a quicker passive scan on the new Environment.

Advantages

1. Support for dynamic environments can help DAST become more shift-left, offering quicker vanilla scans earlier in the pipeline without much configuration.
2. Environments already act as a source of truth for where code has been deployed, DAST should be able to use that existing configuration for better integration within GitLab.

Challenges

1. Authentication credentials, if needed, would still need to be provided manually.

Proposed Changes

1. DAST Site Profiles UI should support selecting the URL of an existing environment.
2. DAST's CI configuration should accept an environment ID instead of a target URL.
3. Offer a passive scan DAST template that runs against temporary deployed dynamic environments/review apps.