URL Passive Scan

What does this MR do?

This MR adds the ability to disable the DAST spider and scan only URLs specified in the DAST_URLS environment variable.

Omissions

The focus for the MR is to get a working skeleton to scan by a list of URLs. This MR does not take into account:

• Passing CLI options to ZAP
• Dealing with when the URL list fails to be written to a file

I plan to add these in subsequent MRs

To run this code locally

cd into the project and build DAST:

docker build -t dast .

Start a basic site:

invoke server.basicsite

Since we want a safe place for DAST to write it's log and reports to, create a new place to run DAST.

mkdir -p ~/dast_tmp/output
cd ~/dast_tmp

Run the scan which includes the env variable DAST_URLS, which defines the URLs DAST should scan.

docker run \
       --rm \
       --network host \
       -v "${PWD}":/output \
       --env DAST_URLS=http://localhost:8010,http://localhost:8010/page2.html \
       dast /analyze -d -t http://localhost:8010 >url_scan.log 2>&

Once DAST is complete you'll have the DAST json report gl-dast-report.json (which includes vuleranbilites and the list of URLs scanned), the log url_scan.log and the zap log zap.out.

What are the relevant issue numbers?

!214120

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Job definition example
  • Vendored CI Templates (also in CE)
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer