DAST: Viable to Complete
# Features needed for Complete maturity
*This section will evolve as we complete the research project.*
In rough order of priority, the goals of this initiative are:
* [x] [Manually triggered On-demand scans](https://gitlab.com/groups/gitlab-org/-/epics/3053)
* [x] Better results and scan coverage
* [x] [Aggregate vulnerabilities to reduce the number of vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/4967)
* [x] [Update default DAST ruleset to remove high FP and low criticality rules](https://gitlab.com/gitlab-org/gitlab/-/issues/327184)
* [x] [On-demand DAST Scheduler](https://gitlab.com/groups/gitlab-org/-/epics/4876)
* [x] [DAST UI configuration](https://gitlab.com/groups/gitlab-org/-/epics/3323)
* [x] [On-demand configuration workflow redesign](https://gitlab.com/groups/gitlab-org/-/epics/7631)
* [x] [CI/CD UI configuration workflow redesign](https://gitlab.com/groups/gitlab-org/-/epics/7632)
* ~~DAST-specific vulnerability detail page~~ - (replaced by updates to the generic vulnerability details)
Moved to Complete to Lovable:
* [DAST-specific scan detail page](https://gitlab.com/gitlab-org/gitlab/-/issues/216664)
As a result of the de-duplication and more usable configuration options, we believe that this will reduce the user perception of false positives enough that we will not have to do any specific engineering work related to reducing false positives.
<details>
<summary>Show old details</summary>
# Implementation order by feature area
## On-demand:
***[Designs](https://www.figma.com/file/7CaJqOTOpPEOzkYkoU5bs5/DAST-Ondemand-Profile?node-id=1023%3A23887)***
1. Iteration 1:
- Initial on-demand scan (gitlab-org/gitlab#218465)
- Initiate scan (gitlab-org/gitlab#218465)
- See scan on pipeline page (No implementation needed)
- See results in pipeline dashboard (No implementation needed)
- Use the Site profile in the on-demand scan (gitlab-org/gitlab#222755) - blocked by Site profile Iteration 1
1. Iteration 2:
- Use the Scan profile in the on-demand scan (gitlab-org/gitlab#225691)
- Page showing only on-demand scans (gitlab-org/gitlab#218587)
- Usage ping for on-demand scans (gitlab-org/gitlab#220951)
1. Iteration 3:
- See the uneditable Scan profile config after selection (gitlab-org/gitlab#225693)
- See the uneditable Site profile config after selection (gitlab-org/gitlab#222761)
## UI Configuration:
### Site profile:
***[Designs](https://www.figma.com/file/7CaJqOTOpPEOzkYkoU5bs5/DAST-Ondemand-Profile?node-id=1024%3A0)***
1. Iteration 1 (&3772) :
- Name
- Target URL
1. Iteration 2 (TBD):
- Site Validation
1. Iteration 3 (&3771):
- API/Website selection
- Request headers
- Authentication
- Username/password, username field/ password field.
- Excluded URLs
### Scanner profile (&3720):
***[Designs](https://www.figma.com/file/7CaJqOTOpPEOzkYkoU5bs5/DAST-Ondemand-Profile?node-id=1024%3A24167)***
1. Iteration 1 (gitlab-org/gitlab#222767):
- Name
- Spider timeout
- Target timeout
1. Iteration 2 (gitlab-org/gitlab#225804):
* Active/passive scan selection
* Ajax Spider
* Debug
### Profile library:
***[Designs](https://www.figma.com/file/7CaJqOTOpPEOzkYkoU5bs5/DAST-Ondemand-Profile?node-id=1023%3A18668)***
1. Iteration 1 (gitlab-org/gitlab#225816):
- Create Site profile
- Delete Site profile
- View created Site profiles
1. Iteration 2 (gitlab-org/gitlab#225817):
- Create Scanner profile
- Delete Scanner profile
- View created Scanner profiles
- Edit Scanner profiles
- Edit Site profiles
1. Iteration 3 (gitlab-org/gitlab#217872)
- Log profile activity
</details>
## Feature flags
### Active
<!--
#### `feature_flag_name`
* **Status:**
* **staging:**
* **production:**
* **Purpose:**
* **Rollout issue:**
* **YAML:**
-->
### Past
<details>
<summary>Show removed feature flags</summary>
### `dast_on_demand_scans_scheduler `
* **Status:** [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72953).
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/328749
* **YAML:** https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/feature_flags/development/dast_on_demand_scans_scheduler.yml
### `dast_view_scans`
* **Status:** [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77672).
* **Purpose:** Controls the ability to access the on-demand DAST scans index page.
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/340388
* **YAML:** https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/feature_flags/development/dast_view_scans.yml
### `dast_failed_site_validations`
* **Status:** [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/70697).
* **Purpose:** When enabled, a summary of failed site validations is fetched and displayed in the DAST profiles library, with a way to either retry the validation or discard it.
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/323961
* **YAML:** https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/feature_flags/development/dast_failed_site_validations.yml
#### `security_on_demand_scans_site_validation`
* **Status:** [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/50635).
* **Purpose:** Controls all DAST site validation features.
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/241815
* **YAML:** [`config/feature_flags/development/security_on_demand_scans_site_validation.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/feature_flags/development/security_on_demand_scans_site_validation.yml)
### `dast_saved_scans`
* **Status**: [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/56540).
* **Purpose:** Controls the ability to create, edit and manage saved scans.
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/295252
* **YAML:** [`ee/config/feature_flags/development/dast_saved_scans.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/feature_flags/development/dast_saved_scans.yml)
### `security_dast_site_profiles_additional_fields`
* **Status:** [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61460).
* **Purpose:** Controls the authentication, headers and excluded URLs fields in DAST site profiles.
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/292897
* **YAML:** [`config/feature_flags/development/security_dast_site_profiles_additional_fields.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/feature_flags/development/security_dast_site_profiles_additional_fields.yml)
### `security_dast_site_profiles_api_option`
* **Status:** [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61460).
* **Purpose:** Controls API scan option in DAST site profiles.
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/325130
* **YAML:** [`config/feature_flags/development/security_dast_site_profiles_api_option.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/feature_flags/development/security_dast_site_profiles_api_option.yml)
#### `dast_branch_selection`
* **Status:** [Removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/59349).
* **Purpose:** Controls the ability to associate a DAST scan with a specific branch.
* **Rollout issue:** https://gitlab.com/gitlab-org/gitlab/-/issues/322672
* **YAML:** https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/config/feature_flags/development/dast_branch_selection.yml
</summary>
## Test Projects
1. https://gitlab.com/gitlab-org/security-products/dast-testing/-/on_demand_scans
1. https://gitlab.com/gitlab-org/security-products/dast-saved-scans-testing/-/security/configuration/dast_profiles
epic