Add invoke tasks to build DAST / analyze DVWA
What does this MR do?
The Damn Vulnerable Web App is a deliberately vulnerable web application used to help learning and testing of security practices. This makes it very useful for DAST engineers building new features, as they can see what effect the feature has on a scan against DVWA.
DVWA is often a more appropriate web app to test against than WebGoat, and ZAP has trouble scanning WebGoat.
This MR adds the following invoke tasks:
-
server.dvwa
starts a DVWA server -
dast.build
builds a local DAST image -
dast.shell
starts a container using the latest local DAST image, entrypoint is a shell into the/zap
directory -
dast.analyze.dvwa
runs a DAST scan against the running DVWA. Environment variables are configured so that the scan is authenticated.
What are the relevant issue numbers?
n/a
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer