DAST_AUTH_EXCLUDE_URLS appears to be a required parameter but should be optional when running a DAST scan?
Per documentation at https://docs.gitlab.com/ee/user/application_security/dast/, the code block suggest that DAST_AUTH_EXCLUDE_URLS is optional.
DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
However, when I configured my yml file without any value for DAST_AUTH_EXCLUDE_URLS, the DAST job fails with the following error:
ZAP Full Scan started
usage: zap-full-scan.py [-h] [--auth-first-page AUTH_FIRST_PAGE]
[--auth-url AUTH_URL] [--auth-username AUTH_USERNAME]
[--auth-password AUTH_PASSWORD]
[--auth-username-field AUTH_USERNAME_FIELD]
[--auth-password-field AUTH_PASSWORD_FIELD]
[--auth-first-submit-field AUTH_FIRST_SUBMIT_FIELD]
[--auth-submit-field AUTH_SUBMIT_FIELD]
[--auth-exclude-urls AUTH_EXCLUDE_URLS]
zap-full-scan.py: error: argument --auth-exclude-urls: expected one argument
cp: cannot stat '/zap/wrk/gl-dast-report.json': No such file or directory
+ exit 0
+ set -eo pipefail
I am using gitlab.com and my yml looks like:
tages:
- dast
include:
template: DAST.gitlab-ci.yml
variables:
DOCKER_DRIVER: overlay2
DAST_WEBSITE: http://example.com/
DAST_AUTH_URL: http://example.com/login.html
DAST_USERNAME: username
DAST_PASSWORD: password
DAST_USERNAME_FIELD: user_login
DAST_PASSWORD_FIELD: user_password
DAST_FULL_SCAN_ENABLED: "true"
CI_DEBUG_TRACE: "true"
Edited by Sam Kerr