Allow DAST_PATHS_FILE to be an artifact

Release notes

Problem to solve

DAST_PATHS_FILE is only accessible from the /zap/wrk directory. This means the list of URLs to scan must be generated and committed to the project repository. However, it's not always possible to generate this list beforehand and so it's necessary to allow users to generate the file as an artifact and then reference that artifact using DAST_PATHS_FILE.

See 45114#note_433171269 for the full conversation.

Intended users

Sasha (Software Developer)
Devon (DevOps Engineer)
Sidney (Systems Administrator)
Sam (Security Analyst)
Alex (Security Operations Engineer)
Simone (Software Engineer in Test)
Allison (Application Ops)
Priyanka (Platform Engineer)

Proposal

DAST_PATHS_FILE should look in both the /builds directory and /zap/wrk directory.

If DAST_PATHS_FILE is set to urls_to_scan.txt, DAST would look for the file /build/urls_to_scan.txt then if that file doesn't exist, look in /zap/wrk/urls_to_scan.txt

Documentation

The DAST docs should be updated to mention that DAST_PATHS_FILE will look in the /builds directory

Edited Mar 03, 2021 by Avielle Wolfe