Change DAST On-demand API Scanning Engine
Overview
As part of on-demand scans, users can run an API scan through a web interface. The On-demand process uses the OnDemand yaml file, https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-On-Demand-Scan.gitlab-ci.yml.
Since the API Security tool is almost ready to roll out as the default API scanner, the template above should be updated to use the API Security DAST scanner instead of the zap engine.
Implementation
In order to switch over, a few frontend changes need to be put in place. This design issue details the changes.
Both frontend and backend work will need to be done in order to make the switch.
- Change "Rest API" to "API"
- Change Target URL to "API Endpoint URL"
- Add radio button for "Perform testing using:" OpenAPI, HAR, Postman
- Only 1 of the 3 path fields would show up depending on the status of the radio button
- Add Input field for HAR File Path [ ]
- Add Input field for OpenAPI File Path or URL [ ]
- Add Input field for Postman File Path [ ]
- Change excluded URLS to Excluded Paths
In addition, passive and active attack profiles will need to be built for the API Security engine.
The on-demand web interface encrypts and encodes sensitive variables. The following code will need to be added to the API Security engine, gitlab-org/security-products/dast!418 (merged), to ensure it can read environment variables properly.
Implementation plan
Task # | Issue | Description | Department |
---|---|---|---|
1 | #327070 (closed) | Change DAST On-demand API Scanning Engine | backend |
2 | #350735 (closed) | Frontend changes for API Security | frontend |
3 | #352625 (closed) | Documentation related updates | documentation |
4 | #345837 (closed) | Feature flag rollout | feature flag |
Decisions
Feature Flag
All related changes should be released with dast_api_scanner
feature flag
GraphQL
DastSiteProfileCreateInput
& dastSiteProfileUpdateInput
The DastSiteProfileCreateInput
and dastSiteProfileUpdateInput
GraphQL types need to be extended to support the new scan method option.
-
scanMethod
-Type::ScanMethodEnum
-
scanFilePath
-Type::String
ScanMethodEnum
is a new Enum to identify the scan method to be used for the API Scan. The values for the enum are
OPENAPI
POSTMAN_COLLECTION
HAR
dastSiteProfiles
Query
project(fullPath: $fullPath) {
dastSiteProfiles(...) {
nodes {
id
profileName
normalizedTargetUrl
targetUrl
targetType
+ scanMethod
+ scanFilePath
}
}
}