### Problem to solve As a DAST on-demand user, I would like to schedule my scans, so that I do not have to manually trigger an on-demand DAST scan. ### Intended users * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Simone (Software Engineer in Test)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#simone-software-engineer-in-test) ### User experience goal The user should be able to use the UI to schedule a DAST scan by selecting the Site profile, Scanner profile, and time to run. There should be options for scheduling recurring scans, as well as on-off schedules. The user should also be able to view all of the scheduled scans, change the schedule for an already scheduled scan, and delete the scan from the schedule. ### Proposal In the DAST On-demand page, users should be able to click a "Schedule scan" button after they have configured a scan. This will show a modal with the scheduling options. There should also be a tab for showing "Scheduled scans". This will take them to a list of all scheduled scans. From here, they should be able to change the schedule for any scan that they created as well as delete it from the schedule. ### Further details * Design issue: https://gitlab.com/gitlab-org/gitlab/-/issues/225996 ### Permissions and Security * Maintainers and Owners should be able to add scans as well as see, change, and delete any scheduled scans in a project. * Developers should be able to add scans, see all scans, but only be able to change and delete scans that they have created themselves. * All other roles should only be able to view scheduled scans. ### Documentation The DAST On-demand documentation should be changed to reflect the fact that users can now schedule scans. ### Implementation plan | Task # | Issue | Description | Department | | ------ | ---------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------ | | 1 | https://gitlab.com/gitlab-org/gitlab/-/issues/328749 | Rollout the `dast_on_demand_scans_scheduler` feature flag | ~frontend ~backend | | 2 | https://gitlab.com/gitlab-org/gitlab/-/issues/330308 | Update the GraphQL endpoint to support scans schedules data | ~backend | | 3 | https://gitlab.com/gitlab-org/gitlab/-/issues/330307 | Implement scheduled pipelines | ~backend | | 4 | https://gitlab.com/gitlab-org/gitlab/-/issues/328752 | Implement the schedules section in the on-demand scans form | ~frontend | | 5 | https://gitlab.com/gitlab-org/gitlab/-/issues/328753 | Add the **Repeats** field to the schedules section, and show the schedule in the scans profiles library, update delete modal text. | ~frontend | | 6 | https://gitlab.com/gitlab-org/gitlab/-/issues/328754 | Document how on-demand scans can be scheduled | ~documentation | ### Decisions #### `OnDemandScansController` controller In order to populate the on-demand scans form with stored value when editing a scan, we need to include schedule settings in the `@dast_profile` variable. https://gitlab.com/gitlab-org/gitlab/-/blob/53e53b2aefd316d88aa1ef44cdf9a1764a3b5d94/ee/app/controllers/projects/on_demand_scans_controller.rb#L26-33 #### `DastProfileCreateInput` & `DastProfileUpdateInput` The `DastProfileCreateInput` and `DastProfileUpdateInput` GraphQL types need to be extended to support schedules settings. * `schedule`: `DastProfileSchedule` #### `DastProfileSchedule` `DastProfileSchedule` is a new GraphQL type that abstracts schedules settings. * `active`: `Bool!` * `timezone`: `String` * `starts_at`: `String` * `repeats`: `DastRecurringScheduleEnum`