Add GraphQL support to On Demand API Scans
What does this MR do and why?
Describe in detail what your merge request does and why.
This MR resolves #378692 (closed)
DAST API has recently added support for GraphQL Schemas and the ability to pull the schema from an API endpoint. On Demand API Scans should also have support for GraphQL when using DAST API as the scanner backend. While DAST API supports both directly querying the GraphQL endpoint, as well as providing a schema as a file or URL, only the direct querying of the GraphQL endpoint will be added.
In addition to adding support for GraphQL to On Demand API Scans, the documentation should also provide instructions on how to allow list our scanner through the use of a header provided via the Request Headers
field in the site profile. Many GraphQL frameworks are starting to disable introspection queries by default, which will cause the scan to fail. However, it is also straight forward for most frameworks to allow the introspection query if a user defined header is included in the request.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
horizontal |
---|
vertical |
---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Go to
/-/security/configuration/profile_library#site-profiles
on a project level - Create new profile or edit existing
- Select
Site type
API - Select Scan method
GraphQL
from adropdown
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #378692 (closed)