Running DAST on-demand scan on a project with security_orchestration_policies feature enabled fails with error
Summary
Running DAST on-demand scan on a project with security_orchestration_policies feature enabled fails with error:
Could not run the scan. Please try again.
dast-on-demand-0 job: chosen stage does not exist; available stages are .pre, dast, .postSteps to reproduce
- Create new project (with NodeJS template)
- Configure On-Demand DAST Scan Profiles: Site Profile and Scanner Profile
- Save and run an On-Demand DAST Scan -> scan will run normally
- Enable feature flag
security_orchestration_policiesfor your project, enable Scan Policies by going to Security & Compliance -> Scan Policies, select a project and configure YAML file with policy to run a DAST scan for every pipeline:
scan_execution_policy:
- name: Enforce DAST in every release pipeline
description: This policy enforces pipeline configuration to have a job with DAST scan for release branches
enabled: true
rules:
- type: pipeline
branches:
- master
actions:
- scan: dast
scanner_profile: Scanner Profile A
site_profile: Site Profile B- Try to run same scan as in Step 3 -> Running a pipeline will fail with error message:
Could not run the scan. Please try again. dast-on-demand-0 job: chosen stage does not exist; available stages are .pre, dast, .post
Example Project
https://gitlab.com/sashi_kumar/express-demo
What is the current bug behavior?
On-Demand Scan fails when Scan Policies are configured for the project, because internally GitLab is trying to extend pipeline configuration with scan defined in the policy.
What is the expected correct behavior?
On-Demand Scan succeeds when Scan Policies are configured for the project, pipeline configuration is not extended with scan defined in the policy.
Relevant logs and/or screenshots
Possible fixes
- Modify
Gitlab::Ci::Config::SecurityOrchestrationPolicies::Processorto not extend the configuration when pipeline is created for On Demand scan.