Make DAST configurable for speed, coverage, and other use cases
Problem to solve
Our DAST feature is based on ZAProxy, and especially zap-baseline, a CLI to interact easily with ZAP. One observed concern from customers is that zap-baseline provides a time based spidering function. It spiders for URLs for one minute and then scans those URLs in order to be efficient and for our purposes in order to not delay the time it takes to run a DAST scan in a Merge Request pipeline. It does mean that in some cases only a fraction of the surface area of an application is tested. Over-riding this time is possible by passing a specific parameter to zap-baseline.
However, it's currently impossible to pass parameters to zap-baseline that would adjust this and other variables with our recommended vendored template.
Users can always use a manual job definition, but it's against this recommendation.
DAST users (Developers like Sasha) who want to customize the behavior of the DAST scan compared to what GitLab provides by default.
By default, zap-baseline will run for 1 minute. This parameter can't be set when using the template.
Edit (Dennis): Also other useful parameters cannot be passed to ZAP using the template, such as
-j for instructing ZAP to use the AJAX spider. Full list of params is here https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan
We should evaluate if we want to expose:
all params at once (ex:
- Allow this configuration for both full scan AND passive scan
- all params one by one (https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan#usage)
Only the number of minutes to spider (ex:
We currently don't document that spidering will stop after 1 minute (/cc @axil). This can be very confusing for users, as the complete will succeed, but the results will be incomplete, without any clue about missing ones.
We should document how to change the spider time limit once we decide how we expose it. Note that a Full Scan doesn't have this limit, but it will achieve active scanning instead of the passive one from zap-baseline.
What does success look like, and how can we measure that?
Users can specify the spider time limit.
What is the type of buyer?
Links / references
- Add support for environment variables mentioned in #12652 (comment 218599698) here https://gitlab.com/gitlab-org/security-products/dast/blob/master/src/configuration.py#L79
- Add tests for these variables in
test-basic.shin dast https://gitlab.com/gitlab-org/security-products/dast/test
- Add these variables here https://gitlab.com/gitlab-org/gitlab/blob/master/lib%2Fgitlab%2Fci%2Ftemplates%2FSecurity%2FDAST.gitlab-ci.yml#L18
- Add the variables to docs: https://docs.gitlab.com/ee/user/application_security/dast/index.html#available-variables