Don't fork zaproxy
Description
Starting from GitLab %10.6, DAST relies on a Docker image that diverges from zap2docker-stable
in order to support user authentication as described in #4504 (closed). It works but our contributions to zaproxy are likely to be rejected, mostly because they introduce many runtime dependencies. Over time the cost of maintaining our fork of zaproxy can be too high.
Proposal
- create a new project that only covers user authentication
- make this new project/command pass cookies to
zap-baseline.py
- add command line options to
zap-baseline.py
in order to set the cookies - submit a pull request to zaproxy for this enhancement of
zap-baseline.py
- update DAST documentation to match these changes
- deprecate our fork of zaproxy but keep it for backward compatibility
Warning! We've got to keep our Docker image zaproxy
because it's used in the Auto DevOps template in %10.6.