Backend: Pre scan verification
Backend implementation for the pre-scan verification:
Create new tables to store the pre-scan verification status:
-
dast_pre_scan_verifications
- status: (Running, Complete, Complete with Errors, Failed)
- dast_profile_id
- ci_pipeline_id(cross-database foreign key)
- created_at
- updated_at
The valid attribute will be computed taking the delta between the updated_at
of the dast_site_profile
and the created_at
of the dast_pre_scan_verification
as suggested here.
We just need to keep in our database the last pre-scan-verification
for the dast_profile
.
-
dast_pre_scan_verification_steps
- dast_pre_scan_verification_id
- name
- errors
The success attribute will be computed by the dast_pre_scan_verification_step model. A verification step will be considered a success if the errors attribute is nil or empty.
-
Create a REST internal endpoint to receive the pre-scan results from the analyzers
POST /api/v4/internal/dast/pre_scan_verification/$PRE_SCAN_VERIFICATION_ID
payload
{
"pipeline": {
"id": "1234567",
"errors": []
},
"connection": {
"errors": []
},
"authentication": {
"errors": [
"Actionable error message"
]
},
"crawling": {
"errors": []
}
}
-
Create a GraphQL query to return the pre-scan validation status -
Update the dastProfileCreate
mutation to accept a new fieldrunPreScanVerificationAfterCreate
Update ee/app/services/app_sec/dast/scan_configs/build_service.rb#ci_configuration
to use the new pre-scan verifications template for pre-scan verifications.
Update ee/app/services/app_sec/dast/scans/create_service.rb to create the pipeline with the additional validation variables(PRE_SCAN_VERIFICATION_ID) similar to what is done in ee/app/services/app_sec/dast/site_validations/runner_service.rb