Skip to content

Perform passive security test of GraphQL API using DAST API

Michael Eddington requested to merge mikeeddington-dast-api-graphql-passive into master

What does this MR do and why?

Perform a passive security test of the GraphQL API using DAST API.

  • Add new dast_api job to the dast stage of the review-app pipeline
  • Job runs in ~3 minutes
  • Uses the same rules as the existing dast jobs
  • New job runs in a scheduled pipeline

Related to https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/294

How to set up and validate locally

Passing job prior to adding scheduled rules: https://gitlab.com/gitlab-org/gitlab/-/jobs/3066163086

The job is now configured to run on a schedule. To run a new pipeline and see the output, you will need to replace the rules in .gitlab/ci/review-apps/dast-api.gitlab-ci.yml so they run in the MR pipeline.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Michael Eddington

Merge request reports

Loading