Pin to the major version of DAST

2074d6c7 · Cameron Swords · Nick Thomas · 556a2ad1 · 2074d6c7 · 2074d6c7
Commit 2074d6c7 authored Jan 16, 2020 by Cameron Swords Committed by Nick Thomas Jan 16, 2020
3 changed files
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -103,6 +103,10 @@ always take the latest DAST artifact available. Behind the scenes, the
 [GitLab DAST Docker image](https://gitlab.com/gitlab-org/security-products/dast)
 is used to run the tests on the specified URL and scan it for possible vulnerabilities.

+By default, the DAST template will use the latest major version of the DAST Docker image. Using the `DAST_VERSION` variable,
+you can choose to automatically update DAST with new features and fixes by pinning to a major version (e.g. 1), only update fixes by pinning to a minor version (e.g. 1.6) or prevent all updates by pinning to a specific version (e.g. 1.6.4).
+Find the latest DAST versions on the [Releases](https://gitlab.com/gitlab-org/security-products/dast/-/releases) page.
+
 ### Authenticated scan

 It's also possible to authenticate the user before performing the DAST checks:

--- a/ee/changelogs/unreleased/pin-dast-to-major-version.yml
+++ b/ee/changelogs/unreleased/pin-dast-to-major-version.yml
+---
+title: DAST vendored template pins DAST to latest major version
+merge_request: 22371
+author:
+type: changed
--- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
@@ -10,10 +10,13 @@ stages:
  - deploy
  - dast

+variables:
+  DAST_VERSION: 1
+
 dast:
  stage: dast
  image:
-    name: "registry.gitlab.com/gitlab-org/security-products/dast:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable"
+    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
  variables:
  # URL to scan:
  # DAST_WEBSITE: https://example.com/