Skip to content
Snippets Groups Projects
Closed MVC: Project-level DAST Scan Execution Policies (pipeline)
  • MVC: Project-level DAST Scan Execution Policies (pipeline)

  • MVC: Project-level DAST Scan Execution Policies (pipeline)

    Closed Epic created by Sam White

    Release notes

    Problem to solve

    As an application security analyst, I want to enforce/require DAST scans to be run whenever a project pipeline is run according to the configuration I specify so that I can be confident that the scans I setup have not been changed, altered, or disabled.

    Intended users

    In smaller organizations:

    User experience goal

    Proposal

    Note: This is a minimal MVC and is intended to allow us to be iterative and release quickly. Please reference the Security Orchestration direction page for plans to improve this capability in the future.

    1. Users will be able to associate a Security Policy Project with each of their projects (similar to how a Cluster Management Project can be designated as the management project for a cluster today)
    2. Users will be able to create a policy in the Security Policy Project that will require a DAST scan to be run when the pipeline is run.
    3. Users will be able to reference an existing Scan Profile and Site Profile as part of the policy definition.
    4. Users will not be able to edit or delete any Scan Profiles or Site Profiles that are referenced by an active policy.
    policy-select-dropdown policy-select
    cannot-delete image

    Further details

    Permissions and Security

    1. Only users with Maintainer or higher access on the project will be able to set or change the associated Security Policy Project.

    Documentation

    • Documentation will be updated to describe how to create these policies (Note: this is probably a new page under Projects -> Application Security -> Security Policies)
    • Documentation will include at least one example configuration
    • The existing DAST documentation will be modified to include a link to the documentation on the security policies

    Availability & Testing

    What does success look like, and how can we measure that?

    What is the type of buyer?

    Is this a cross-stage feature?

    Feature flag

    Feature Flag : security_orchestration_policies_configuration

    Feature: security_orchestration_policies

    Links / references

    Edited by Annabel Dunstone Gray

    Linked items 0

  • Link items together to show that they're related or that one is blocking others.

    Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first