Perform passive security test of GraphQL API using DAST API
What does this MR do and why?
Perform a passive security test of the GraphQL API using DAST API.
- Add new
dast_api
job to thedast
stage of thereview-app
pipeline - Job runs in ~3 minutes
- Uses the same rules as the existing
dast
jobs - New job runs in a scheduled pipeline
Related to https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/294
How to set up and validate locally
Passing job prior to adding scheduled rules: https://gitlab.com/gitlab-org/gitlab/-/jobs/3066163086
The job is now configured to run on a schedule. To run a new pipeline and see the output,
you will need to replace the rules in .gitlab/ci/review-apps/dast-api.gitlab-ci.yml
so they run in the MR pipeline.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Michael Eddington