Skip to content

Enable On Demand DAST Scans in FIPS Mode

Given the transition to Browser based DAST and the fact that the Browser Based DAST scanner is FIPS compliant, we can start offering on-demand Scans when GitLab is running in FIPS mode.

Since Browser Based On Demand Scans will be available through the feature flag dast_ods_browser_based_scanner, On Demand Scans when GitLab is running in FIPS mode will also be enabled when the feature flag is enabled.

Proposal

  1. Users should be able to navigate to the On Demand Scans page directly /on_demand_scans#/all for a particular project
  2. Users should be able to trigger an On Demand Scan using the GitLab API
  3. Users should see the menu item "On-Demand Scans" under "Security and Compliance"
  4. Modify the On Demand DAST Scan template to use the FIPS image
  5. Modify the DAST Runner Validation Template to use the FIPS image

Implementation Plan

Basic Predicate: If GitLab is running in FIPS mode, On Demand Scans feature should be available.

  1. ee/app/controllers/projects/on_demand_scans_controller.rb - Modify the check_fips_mode action to return 200 if GitLab is running in FIPS mode and the feature flag is enabled
  2. ee/lib/ee/gitlab/security/scan_configuration.rb - Modify the on_demand_available to return true when type == :dast . If GitLab is running in FIPS mode, then true must be returned only when the feature flag is enabled.
  3. ee/lib/ee/sidebars/projects/menus/security_compliance_menu.rb - Modify the on_demand_scans_menu_item . If GitLab is running in FIPS mode and the feature flag is enabled, then the On Demand Scans menu item should be shown.
  4. ee/app/policies/ee/project_policy.rb - Modify the on_demand_scans_enabled condition. If GitLab is running in FIPS mode, then true must be returned only when the feature flag is enabled.
  5. Modify the On Demand DAST Scan template to use the FIPS image when GitLab is running in FIPS Mode and the Feature Flag is enabled.
  6. Modify the DAST Runner Validation Template to use the FIPS image

Verification and Success Criteria:

If GitLab is running in FIPS mode and the feature flag on_demand_scans_enabled is enabled:

  1. Users should be able to see the menu item appear in their project menu.

  2. Users should be able to trigger an On Demand Scan using the GitLab API (`Mutation.dastOnDemandScanCreate`).

  3. Direct access to the On Demand Scans page is allowed.

  4. The DAST card on the Security Configuration page shows the "Available on demand" badge.

    Screenshot

    image.png

Previous Work

  1. Remove available on-demand badge from ODS when ... (!131137 - merged)
  2. Disable On Demand DAST Scans in FIPS mode (!130744 - merged)
  3. https://gitlab.com/gitlab-org/gitlab/-/issues/409061+

Related Epic: &11429 (closed)

Edited by Arpit Gogia