Change the ZAP hook used to authenticate sessions
What does this MR do?
When ZAProxy starts, DAST listens to the zap_access_target
hook. When the hook is called, DAST creates a new session, and if required, starts a browser and logs the user in using supplied credentials.
This MR changes this behaviour to instead listen for the zap_started
hook. The primary reason for this is that the API scanning code does not have a zap_access_target
hook, therefore any functionality we add to that hook would not work for an API scan.
This in part resolves issue gitlab-org/gitlab#10928 (closed).
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer