### Problem Today, On-demand DAST scan configuration is very limited and includes: * Site profile (name, type, target URL, excluded URLs, request headers, authentication, scan method) * Scanner profile (profile name, scan mode, crawl timeout, target timeout, debug messages) * Scan schedule [Pipeline-based DAST scans include many, many more variables/configuration settings](https://docs.gitlab.com/ee/user/application_security/dast/browser/configuration/variables.html). Without the ability to select these settings, On-demand DAST scans may completely fail, meaning customers can't use on-demand scans and must use pipeline-based scans. Recently, this had led to at least 4 RFH issues where prospects were unable to successfully trial On-Demand scans. ### Scope #### Must-have * Ability to fully configure on-demand scans with all variables that can be configured for pipeline-based DAST scans * Configuration settings can be saved and reused for multiple DAST scans * Any change made to the configuration should result in an audit event * Config variable added, edited, or deleted * Variables will be available in the ~~scanner or~~ site profile as listed below: ##### Variables ###### **Site profile** 1. DAST_AUTH_AFTER_LOGIN_ACTIONS 2. DAST_AUTH_BEFORE_LOGIN_ACTIONS 3. DAST_AUTH_CLEAR_INPUT_FIELDS 4. DAST_AUTH_COOKIE_NAMES 5. DAST_AUTH_FIRST_SUBMIT_FIELD 6. DAST_AUTH_PASSWORD_FIELD 7. DAST_AUTH_NEGOTIATE_DELEGATION 8. DAST_AUTH_PASSWORD 9. DAST_AUTH_SUBMIT_FIELD 10. DAST_AUTH_SUCCESS_IF_AT_URL 11. DAST_AUTH_SUCCESS_IF_ELEMENT_FOUND 12. DAST_AUTH_SUCCESS_IF_NO_LOGIN_FORM 13. DAST_AUTH_TYPE 14. DAST_AUTH_URL 15. DAST_AUTH_USERNAME_FIELD 16. DAST_AUTH_USERNAME 17. DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT 18. DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT 19. DAST_PAGE_DOM_READY_TIMEOUT 20. DAST_PAGE_DOM_STABLE_WAIT 21. DAST_PAGE_ELEMENT_READY_TIMEOUT 22. DAST_PAGE_IS_LOADING_ELEMENT 23. DAST_PAGE_IS_READY_ELEMENT 24. DAST_PAGE_MAX_RESPONSE_SIZE_MB 25. DAST_PAGE_READY_AFTER_ACTION_TIMEOUT 26. DAST_PAGE_READY_AFTER_NAVIGATION_TIMEOUT 27. DAST_REQUEST_COOKIES 28. DAST_REQUEST_HEADERS 29. DAST_SCOPE_ALLOW_HOSTS 30. DAST_SCOPE_EXCLUDE_ELEMENTS 31. DAST_SCOPE_EXCLUDE_HOSTS 32. DAST_SCOPE_EXCLUDE_URLS 33. DAST_SCOPE_IGNORE_HOSTS 34. DAST_TARGET_CHECK_SKIP 35. DAST_TARGET_CHECK_TIMEOUT 36. DAST_TARGET_PATHS_FILE 37. DAST_TARGET_PATHS 38. DAST_TARGET_URL 39. DAST_PKCS12_CERTIFICATE_BASE64 40. DAST_PKCS12_PASSWORD 41. DAST_ACTIVE_SCAN_TIMEOUT 42. DAST_CRAWL_MAX_ACTIONS 43. DAST_CRAWL_MAX_DEPTH 44. DAST_CRAWL_TIMEOUT 45. DAST_CRAWL_WORKER_COUNT 46. DAST_REQUEST_ADVERTISE_SCAN 47. DAST_USE_CACHE 48. DAST_ACTIVE_SCAN_WORKER_COUNT 49. DAST_PASSIVE_SCAN_WORKER_COUNT ### Proposal For MVC, expose all DAST variables on the on-demand configuration page, so customers can leverage all DAST configuration variables for on-demand scans. ### Design https://gitlab.com/gitlab-org/gitlab/-/issues/466299