Merge branch '7182-add-dast-full-scan-enabled-support' into 'master'

Add ZAP Full Scan support to DAST vendored template

See merge request gitlab-org/gitlab-ee!11269

doc/user/application_security/dast/index.md

@@ -32,9 +32,11 @@ see the details and the URL(s) affected.
 [Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_Application_Security_Testing)
 is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
 to perform an analysis on your running web application.
-Since it is based on [ZAP Baseline](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan),
-DAST will perform passive scanning only; it will not actively attack your application.
 
+By default, DAST executes [ZAP Baseline Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan) and will perform passive scanning only. It will not actively attack your application.
+
+However, DAST can be [configured](#full-scan)
+to also perform a so-called "active scan". That is, attack your application and produce a more extensive security report.
 It can be very useful combined with [Review Apps](../../../ci/review_apps/index.md).
 
 ## Use cases
@@ -98,6 +100,8 @@ There are two ways to define the URL to be scanned by DAST:
 - Set the `DAST_WEBSITE` [variable](../../../ci/yaml/README.md#variables).
 - Add it in an `environment_url.txt` file at the root of your project.
 
+#### Authenticated scan
+
 It's also possible to authenticate the user before performing the DAST checks:
 
 ```yaml
@@ -111,6 +115,7 @@ variables:
   DAST_PASSWORD: john-doe-password
   DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
   DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
+  DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
 ```
 
 The report will be saved as a
@@ -118,6 +123,19 @@ The report will be saved as a
 that you can later download and analyze.
 Due to implementation limitations, we always take the latest DAST artifact available.
 
+#### Full scan
+
+DAST can be configured to perform [ZAP Full Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan), which
+includes both passive and active scanning against the same target website:
+
+```yaml
+include:
+  template: DAST.gitlab-ci.yml
+
+variables:
+  DAST_FULL_SCAN_ENABLED: "true"
+```
+
 #### Customizing the DAST settings
 
 The SAST settings can be changed through environment variables by using the

ee/changelogs/unreleased/7182-add-dast-full-scan-enabled-support.yml

+---
+title: Added ZAP Full Scan support for DAST
+merge_request: 11269
+author:
+type: added

lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml

@@ -30,6 +30,7 @@ dast:
     - |
       function dast_run() {
         docker run \
+        --env DAST_FULL_SCAN_ENABLED \
         --env DAST_TARGET_AVAILABILITY_TIMEOUT \
         --volume "$PWD:/output" \
         --volume /var/run/docker.sock:/var/run/docker.sock \
@@ -46,7 +47,8 @@ dast:
           --auth-username $DAST_USERNAME \
           --auth-password $DAST_PASSWORD \
           --auth-username-field $DAST_USERNAME_FIELD \
-          --auth-password-field $DAST_PASSWORD_FIELD
+          --auth-password-field $DAST_PASSWORD_FIELD \
+          --auth-exclude-urls $DAST_AUTH_EXCLUDE_URLS
       else
         dast_run
       fi