Skip to content

Use DAST Scan profiles from database

Problem to solve

To simplify the configuration of DAST for customers, customers can create scan and site profiles in "on-demand" scans. Today, they can then run a DAST scan through the web interface using those scan and site profiles. This eliminates the need for the user to configure or create a YAML file.

However, if customers want to run a scan in their pipeline they have to configure all variables in their YAML file. There is no way they can leverage the profiles they created in the web interface.

Proposal

GitLab introduces new job-level keyword to .gitlab-ci.yml called dast_configuration:

dast:
  stage: dast
  dast_configuration:
    site_profile: "site-profile-name"
    scanner_profile: "scanner-profile-name"
  script:
   - echo

Customers set the value of dast:variables to include the names of the profiles that they have previously saved in the database.

Technical details

Note: The developer should get a spike of this implementation into review by the CI team as quickly in the process as possible.

Additional context: Gitlab::Ci::Pipeline::Seed::Build is used in the Gitlab::Ci::Pipeline::Chain::Seed step of the pipeline creation process. The full chain is defined in Ci::CreatePipelineService

Implementation Questions

  1. Ensure we can handle authentication values that were saved in site profiles.
  2. The scan and site profiles will be updated with additional fields as DAST grows. Architect this so that as new fields are added to the scan and site profiles they can flow into DAST without updates.
Edited by Philip Cunningham