Custom ZAP configuration file support

Problem to solve

GitLab DAST relies on ZAProxy, that is a great tool.

Unfortunately, it may require a lot of time to complete on large websites, since there are many predefined tests enabled.

The outcome could be that users will completely disable DAST for their apps to avoid the endless waits for green pipelines. This is absolutely something we want to avoid.

Further details

See gitlab-com/www-gitlab-com#3413, this is happening to us too!

Proposal

Allow people to customize the ZAProxy behavior by fine-tuning the configuration via a file in the repo.

If the file is not present, DAST will use our best practices default values.

If the file is present, it will be used instead.

What does success look like, and how can we measure that?

Number of projects with a custom configuration for DAST.