Site Profiles for API Security scans should support APISEC_* variables

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

Site Profiles provide users the ability to configure DAST and API Security scans outside of the traditional pipeline-based approach, and are a critical component of running security scans at scale via policy implementations. Recently, GitLab added support for "additional variables" to the Site Profile configuration form, which provides even more flexibility to security professionals configuring scans in this manner.

Unfortunately, those additional variables are only related to DAST web application scanning. GitLab's API Security scanner uses a completely different set of variables for its configuration, typically prefixed with APISEC_, and none of those variables are available in Site Profiles.

This creates two problems:

1. Users configuring Site Profiles for API Security scans will be presented with a list of DAST_ variables that are irrelevant to their use case.
2. Site Profiles for API Security can only be configured for limited use cases. For example, the APISEC_OVERRIDES_* variables provide robust support for customizing scan behavior, including complex authentication workflows —none of this is possible if those variables can't be set.

My proposal would be to add support for the APISEC_* variable set to the Site Profile configuration form. From a UX perspective, it would be particularly helpful if the "Additional variables" section only showed DAST_* variables when "Site type" is set to "Website," and only showed APISEC_* variables when "Site type" is set to "API".

Technical proposal

1. Add the following variables to the DAST variables single source of truth in their own category called apisec (like site and scanner) - each one will need a type, example, name, and description:

APISEC_DISABLED
APISEC_DISABLED_FOR_DEFAULT_BRANCH
APISEC_VERSION
APISEC_IMAGE_SUFFIX
APISEC_API_PORT
APISEC_TARGET_URL
APISEC_TARGET_CHECK_SKIP
APISEC_TARGET_CHECK_STATUS_CODE
APISEC_CONFIG
APISEC_PROFILE
APISEC_EXCLUDE_PATHS
APISEC_EXCLUDE_URLS
APISEC_EXCLUDE_PARAMETER_ENV
APISEC_EXCLUDE_PARAMETER_FILE
APISEC_REQUEST_HEADERS
APISEC_REQUEST_HEADERS_BASE64
APISEC_OPENAPI
APISEC_OPENAPI_RELAXED_VALIDATION
APISEC_OPENAPI_ALL_MEDIA_TYPES
APISEC_OPENAPI_MEDIA_TYPES
APISEC_HAR
APISEC_GRAPHQL
APISEC_GRAPHQL_SCHEMA
APISEC_POSTMAN_COLLECTION
APISEC_POSTMAN_COLLECTION_VARIABLES
APISEC_OVERRIDES_FILE
APISEC_OVERRIDES_ENV
APISEC_OVERRIDES_CMD
APISEC_OVERRIDES_CMD_VERBOSE
APISEC_PER_REQUEST_SCRIPT
APISEC_PRE_SCRIPT
APISEC_POST_SCRIPT
APISEC_OVERRIDES_INTERVAL
APISEC_HTTP_USERNAME
APISEC_HTTP_PASSWORD
APISEC_HTTP_PASSWORD_BASE64
APISEC_SERVICE_START_TIMEOUT
APISEC_TIMEOUT
APISEC_SUCCESS_STATUS_CODES

all variables from https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/application_security/api_security_testing/configuration/variables.md that start with APISEC

2. Pass apisec variables to the frontend along with the other variables, but don't include them in the DAST variables documentation
3. When editing a site profile, if the Site type is set to Website then show the Additional variables as they are now
4. When editing a site profile, if the Site type is set to API then show the apisec variables instead
5. Verify that when a site profile is saved with any of these variables as Additional variables and then used in a scan, the variable values are correctly passed to the scanner