Switch DAST zap scanner to stable build
UPDATE: The ZAProxy stable release does not include ascanrulesAlpha
rules. For that reason, we're using a known working weekly image: owasp/zap2docker-weekly:w2019-09-24
.
Update the DAST scanner to use the stable/bare version of Zap instead of the weekly. https://github.com/zaproxy/zaproxy/wiki/Docker
The update would occur here: https://gitlab.com/gitlab-org/security-products/dast/blob/master/Dockerfile
The weekly build is not intended for Anyone building security distributions
or can contain broken features. Because we are wrapping Zap, we should ensure that we are only wrapping a stable build, otherwise our weekly builds have the ability to introduce a broken scanner.
-
Update documentation https://docs.gitlab.com/ee/user/application_security/dast/index.html and https://docs.gitlab.com/ee/user/application_security/index.html#maintenance-and-update-of-the-vulnerabilities-database -
Assign a DRI PM to monitor https://github.com/zaproxy/zaproxy/releases for new major releases and add an issue when a new release is put out.