MVC: Project-level DAST Scan Execution Policies (pipeline)
MVC: Project-level DAST Scan Execution Policies (pipeline)
Release notes
Problem to solve
As an application security analyst, I want to enforce/require DAST scans to be run whenever a project pipeline is run according to the configuration I specify so that I can be confident that the scans I setup have not been changed, altered, or disabled.
Intended users
- Cameron (Compliance Manager)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Alex (Security Operations Engineer)
In smaller organizations:
User experience goal
Proposal
Note: This is a minimal MVC and is intended to allow us to be iterative and release quickly. Please reference the Security Orchestration direction page for plans to improve this capability in the future.
- Users will be able to associate a Security Policy Project with each of their projects (similar to how a Cluster Management Project can be designated as the management project for a cluster today)
- Users will be able to create a policy in the Security Policy Project that will require a DAST scan to be run when the pipeline is run.
- Users will be able to reference an existing Scan Profile and Site Profile as part of the policy definition.
- Users will not be able to edit or delete any Scan Profiles or Site Profiles that are referenced by an active policy.
![]() |
![]() |
![]() |
![]() |
Further details
Permissions and Security
- Only users with
Maintainer
or higher access on the project will be able to set or change the associated Security Policy Project.
Documentation
- Documentation will be updated to describe how to create these policies (Note: this is probably a new page under Projects -> Application Security -> Security Policies)
- Documentation will include at least one example configuration
- The existing DAST documentation will be modified to include a link to the documentation on the security policies
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Feature flag
Feature Flag : security_orchestration_policies_configuration
Feature: security_orchestration_policies
Links / references
- Show closed items
Link items together to show that they're related or that one is blocking others.