Redact password from evidence summary
What does this MR do?
this merge request redacts the DAST_PASSWORD
from the dast
report.
Related Issue(s)
Why?
we established dast
may leak sensitive information in evidence. it was decided in dast
weekly on 2021-04-05
that this was not a major concern because we already strongly advise customers never to run authenticated scans against production servers but i also think it's important to address this in order to help protect users against slips and mistakes.
below is what our docs currently say:
NEVER run an authenticated scan against a production server. When an authenticated scan is run, it may perform any function that the authenticated user can. This includes actions like modifying and deleting data, submitting forms, and following links. Only run an authenticated scan against a test server.
https://docs.gitlab.com/ee/user/application_security/dast/#authentication
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer