Define friendly names for DAST site profile and scanner profile variables
Problem to solve
In some designs for issues in On-demand DAST Configuration Parity (&16057 - closed) like the design for #506039, we show CI/CD variables used to customize DAST scanning with user-friendly names, but we don't have names for all of them. In the documentation, they're listed by key (DAST_PASSIVE_SCAN_WORKER_COUNT, DAST_PKCS12_PASSWORD, etc.) and have type, example, and description fields.
Proposal
Define user-friendly names for these variables:
| Name? | Key | Type | Example | Description |
|---|---|---|---|---|
| Active scan timeout | DAST_ACTIVE_SCAN_TIMEOUT |
Duration string | 3h |
The maximum amount of time to wait for the active scan phase of the scan to complete. Defaults to 3h. |
| Active scan worker count | DAST_ACTIVE_SCAN_WORKER_COUNT |
number | 3 |
The number of active checks to run in parallel. Defaults to 3. |
| After-login actions | DAST_AUTH_AFTER_LOGIN_ACTIONS |
string | click(on=id:remember-me),click(on=css:.continue) |
A comma-separated list of actions to be run after login but before login verification. Currently supports click actions. |
| Before-login actions | DAST_AUTH_BEFORE_LOGIN_ACTIONS |
selector | css:.user,id:show-login-form |
A comma-separated list of selectors representing elements to click on prior to entering the DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD into the login form. |
| Clear input fields | DAST_AUTH_CLEAR_INPUT_FIELDS |
boolean | true |
Disables clearing of username and password fields before attempting manual login. Set to false by default. |
| Cookie names | DAST_AUTH_COOKIE_NAMES |
string | sessionID,groupName |
Set to a comma-separated list of cookie names to specify which cookies are used for authentication. |
| First submit field | DAST_AUTH_FIRST_SUBMIT_FIELD |
selector | css:input[type=submit] |
A selector describing the element that is clicked on to submit the username form of a multi-page login process. |
| Authentication delegation servers | DAST_AUTH_NEGOTIATE_DELEGATION |
string | *.example.com,example.com,*.EXAMPLE.COM,EXAMPLE.COM |
Which servers should be allowed for integrated authentication and delegation. This property sets two Chromium policies: AuthServerAllowlist and AuthNegotiateDelegateAllowlist. Introduced in GitLab 17.6. |
| Password field | DAST_AUTH_PASSWORD_FIELD |
selector | name:password |
A selector describing the element used to enter the password on the login form. |
| Password | DAST_AUTH_PASSWORD |
string | P@55w0rd! |
The password to authenticate to in the website. |
| Submit field | DAST_AUTH_SUBMIT_FIELD |
selector | css:input[type=submit] |
A selector describing the element clicked on to submit the login form for a single-page login form, or the password form for a multi-page login form. |
| Success URL | DAST_AUTH_SUCCESS_IF_AT_URL |
URL | https://www.site.com/welcome |
A URL that is compared to the URL in the browser to determine if authentication has succeeded after the login form is submitted. |
| Success element | DAST_AUTH_SUCCESS_IF_ELEMENT_FOUND |
selector | css:.user-avatar |
A selector describing an element whose presence is used to determine if authentication has succeeded after the login form is submitted. |
| Success without login form | DAST_AUTH_SUCCESS_IF_NO_LOGIN_FORM |
boolean | true |
Verifies successful authentication by checking for the absence of a login form after the login form has been submitted. This success check is enabled by default. |
| Authentication type | DAST_AUTH_TYPE |
string | basic-digest |
The authentication type to use. |
| Authentication URL | DAST_AUTH_URL |
URL | https://www.site.com/login |
The URL of the page containing the login form on the target website. DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD are submitted with the login form to create an authenticated scan. |
| Username | DAST_AUTH_USERNAME |
string | user@email.com |
The username to authenticate to in the website. |
| Username field | DAST_AUTH_USERNAME_FIELD |
selector | name:username |
A selector describing the element used to enter the username on the login form. |
| Extract element timeout | DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT |
Duration string | 5s |
The maximum amount of time to allow the browser to extract newly found elements or navigations. Defaults to 5s. |
| Maximum action count | DAST_CRAWL_MAX_ACTIONS |
number | 10000 |
The maximum number of actions that the crawler performs. Example actions include selecting a link, or filling a form. Defaults to 10000. |
| Maximum action depth | DAST_CRAWL_MAX_DEPTH |
number | 10 |
The maximum number of chained actions that the crawler takes. For example, Click -> Form Fill -> Click is a depth of three. Defaults to 10. |
| Element search timeout | DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT |
Duration string | 3s |
The maximum amount of time to allow the browser to search for new elements or user actions. Defaults to 3s. |
| Timeout | DAST_CRAWL_TIMEOUT |
Duration string | 5m |
The maximum amount of time to wait for the crawl phase of the scan to complete. Defaults to 24h. |
| Worker count | DAST_CRAWL_WORKER_COUNT |
number | 3 |
The maximum number of concurrent browser instances to use. For instance runners on GitLab.com, we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but are likely to produce little benefit after five to seven instances. The default value is dynamic, equal to the number of usable logical CPUs. |
| DOM ready timeout | DAST_PAGE_DOM_READY_TIMEOUT |
Duration string | 7s |
The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after a navigation completes. Defaults to 6s. |
| DOM stable timeout | DAST_PAGE_DOM_STABLE_WAIT |
Duration string | 200ms |
Define how long to wait for updates to the DOM before checking a page is stable. Defaults to 500ms. |
| Page ready timeout | DAST_PAGE_ELEMENT_READY_TIMEOUT |
Duration string | 600ms |
The maximum amount of time to wait for an element before determining it is ready for analysis. Defaults to 300ms. |
| Loading element | DAST_PAGE_IS_LOADING_ELEMENT |
selector | css:#page-is-loading |
Selector that when is no longer visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_READY_ELEMENT. |
| Ready element | DAST_PAGE_IS_READY_ELEMENT |
selector | css:#page-is-ready |
Selector that when detected as visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_LOADING_ELEMENT. |
| Maximum response size (MB) | DAST_PAGE_MAX_RESPONSE_SIZE_MB |
number | 15 |
The maximum size of a HTTP response body. Responses with bodies larger than this are blocked by the browser. Defaults to 10 MB. |
| Page ready timeout (after action) | DAST_PAGE_READY_AFTER_ACTION_TIMEOUT |
Duration string | 7s |
The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis. Defaults to 7s. |
| Page ready timeout (after navigation) | DAST_PAGE_READY_AFTER_NAVIGATION_TIMEOUT |
Duration string | 15s |
The maximum amount of time to wait for a browser to navigate from one page to another. Defaults to 15s. |
| Passive scan worker count | DAST_PASSIVE_SCAN_WORKER_COUNT |
int | 5 |
Number of workers that passive scan in parallel. Defaults to the number of available CPUs. |
| PKCS12 certificate | DAST_PKCS12_CERTIFICATE_BASE64 |
string | ZGZkZ2p5NGd... |
The PKCS12 certificate used for sites that require Mutual TLS. Must be encoded as base64 text. |
| PKCS12 password | DAST_PKCS12_PASSWORD |
string | password |
The password of the certificate used in DAST_PKCS12_CERTIFICATE_BASE64. Create sensitive custom CI/CI variables using the GitLab UI. |
| Advertise scan | DAST_REQUEST_ADVERTISE_SCAN |
boolean | true |
Set to true to add a Via header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. Default: false. |
| Request cookies | DAST_REQUEST_COOKIES |
dictionary | abtesting_group:3,region:locked |
A cookie name and value to be added to every request. |
| Request cookies | DAST_REQUEST_HEADERS |
string | Cache-control:no-cache |
Set to a comma-separated list of request header names and values. |
| Allowed hosts | DAST_SCOPE_ALLOW_HOSTS |
List of strings | site.com,another.com |
Hostnames included in this variable are considered in scope when crawled. By default the DAST_TARGET_URL hostname is included in the allowed hosts list. Headers set using DAST_REQUEST_HEADERS are added to every request made to these hostnames. |
| Excluded elements | DAST_SCOPE_EXCLUDE_ELEMENTS |
selector | a[href='2.html'],css:.no-follow |
Comma-separated list of selectors that are ignored when scanning. |
| Excluded hosts | DAST_SCOPE_EXCLUDE_HOSTS |
List of strings | site.com,another.com |
Hostnames included in this variable are considered excluded and connections are forcibly dropped. |
| Excluded URLs | DAST_SCOPE_EXCLUDE_URLS |
URLs | https://site.com/.*/sign-out |
The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, .* matches an arbitrary character sequence. |
| Ignored hosts | DAST_SCOPE_IGNORE_HOSTS |
List of strings | site.com,another.com |
Hostnames included in this variable are accessed, not attacked, and not reported against. |
| Skip target check | DAST_TARGET_CHECK_SKIP |
boolean | true |
Set to true to prevent DAST from checking that the target is available before scanning. Default: false. |
| Target check timeout | DAST_TARGET_CHECK_TIMEOUT |
number | 60 |
Time limit in seconds to wait for target availability. Default: 60s. |
| Target paths file | DAST_TARGET_PATHS_FILE |
string | /builds/project/urls.txt |
Ensures that the provided paths are always scanned. Set to a file path containing a list of URL paths relative to DAST_TARGET_URL. The file must be plain text with one path per line. |
| Target paths | DAST_TARGET_PATHS |
string | /page1.html,/category1/page3.html |
Ensures that the provided paths are always scanned. Set to a comma-separated list of URL paths relative to DAST_TARGET_URL. |
| Target URL | DAST_TARGET_URL |
URL | https://site.com |
The URL of the website to scan. |
| Use cache | DAST_USE_CACHE |
boolean | true |
Set to false to disable caching. Default: true. Note: Disabling cache can cause OOM events or DAST job timeouts. |
| Generate authentication report | DAST_AUTH_REPORT |
boolean | true |
Set to true to generate a report detailing steps taken during the authentication process. You must also define gl-dast-debug-auth-report.html as a CI job artifact to be able to access the generated report. The report's content aids when debugging authentication failures. Defaults to false. |
| Excluded checks | DAST_CHECKS_TO_EXCLUDE |
string | 552.2,78.1 |
Comma-separated list of check identifiers to exclude from the scan. For identifiers, see vulnerability checks. |
| Included checks | DAST_CHECKS_TO_RUN |
List of strings | 16.1,16.2,16.3 |
Comma-separated list of check identifiers to use for the scan. For identifiers, see vulnerability checks. |
| Generate graph | DAST_CRAWL_GRAPH |
boolean | true |
Set to true to generate an SVG graph of navigation paths visited during crawl phase of the scan. You must also define gl-dast-crawl-graph.svg as a CI job artifact to be able to access the generated graph. Defaults to false. |
| Full scan | DAST_FULL_SCAN |
boolean | true |
Set to true to run both passive and active checks. Default is false. |
| Log browser output | DAST_LOG_BROWSER_OUTPUT |
boolean | true |
Set to true to log Chromium STDOUT and STDERR. |
| Log levels | DAST_LOG_CONFIG |
List of strings | brows:debug,auth:debug |
A list of modules and their intended logging level for use in the console log. |
| Log messages | DAST_LOG_DEVTOOLS_CONFIG |
string | Default:messageAndBody,truncate:2000 |
Set to log protocol messages between DAST and the Chromium browser. |
| Log file levels | DAST_LOG_FILE_CONFIG |
List of strings | brows:debug,auth:debug |
A list of modules and their intended logging level for use in the file log. |
| Log file path | DAST_LOG_FILE_PATH |
string | /output/browserker.log |
Set to the path of the file log. Default is gl-dast-scan.log. |
| Docker registry | SECURE_ANALYZERS_PREFIX |
URL | registry.organization.com |
Set the Docker registry base address from which to download the analyzer. |
... somewhere that we can use them in vue files in ee/app/assets/javascripts/security_configuration/dast_profiles/.
Edited by Miranda Fluharty