Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Redact password from evidence summary

Review changes
Download
Patches
Plain diff

Philip Cunningham requested to merge philipcunningham-redact-dast-auth-details-from-reports-326944 into master Apr 13, 2021

Overview 3
Commits 1
Pipelines 9
Changes 3

What does this MR do?

this merge request redacts the DAST_PASSWORD from the dast report.

Related Issue(s)

#326944

Why?

we established dast may leak sensitive information in evidence. it was decided in dast weekly on 2021-04-05 that this was not a major concern because we already strongly advise customers never to run authenticated scans against production servers but i also think it's important to address this in order to help protect users against slips and mistakes.

below is what our docs currently say:

NEVER run an authenticated scan against a production server. When an authenticated scan is run, it may perform any function that the authenticated user can. This includes actions like modifying and deleting data, submitting forms, and following links. Only run an authenticated scan against a test server.

https://docs.gitlab.com/ee/user/application_security/dast/#authentication

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Changelog entry added
Documentation created/updated for GitLab EE, if necessary
Documentation created/updated for this project, if necessary
Documentation reviewed by technical writer or follow-up review issue created
Tests added for this feature/bug
Job definition updated, if necessary
- Job definition example
- Vendored CI Templates (also in CE)
Conforms to the code review guidelines
Conforms to the Go guidelines
Security reports checked/validated by reviewer

Edited Apr 13, 2021 by Philip Cunningham

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking