Add the scanned resources to the DAST Security Reports
#37123 (closed)
Blocked byProblem to solve
We currently don't provide coverage data for our Security scans. Users can't assess which components of their application have been tested scanned or not.
Intended users
Further details
The security reports currently provide information about which resources are vulnerable, but they don't allow to validate that a given resource has been scanned and no known vulnerabilities were found for it.
Proposal
As this information is specific to a given execution of an analyzer, they should suit into the new scan
object:
{
"scan": [
"scanned_resources": []
]
}
This allows keeping this information contextual when aggregating multiple reports of the same type at the end of the pipeline.
These properties would be arrays containing resources. A resource would be a typed object to cover different kinds of report. e.g.
{
"method": "GET"
"type": "url",
"value": "https://foo.com/bar
}
or
{
"type": "file",
"value": "foo/bar.rb"
},
We have to consider how to represent the different types of resources for all our report types: SAST, Dependency Scanning, Container Scanning, DAST.