Add properties to DAST Scanner Profile

Allow on-demand DAST users to create profiles that control debug
messages, turn off/on ajax scans and toggle between active and passive
scans

changelogs/unreleased/add_options_to_dast_scanner_profile_254626.yml

+---
+title: Add on-demand DAST scan options (scanType, showDebugMessages, useAjaxSpider)
+  ajax spider and set the scan type
+merge_request: 43240
+author:
+type: added

db/migrate/20200924035825_add_options_to_dast_scanner_profile.rb

+# frozen_string_literal: true
+
+class AddOptionsToDastScannerProfile < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  PASSIVE_SCAN_ENUM_VALUE = 1
+
+  def change
+    add_column :dast_scanner_profiles, :scan_type, :integer, limit: 2, default: PASSIVE_SCAN_ENUM_VALUE, null: false
+    add_column :dast_scanner_profiles, :use_ajax_spider, :boolean, default: false, null: false
+    add_column :dast_scanner_profiles, :show_debug_messages, :boolean, default: false, null: false
+  end
+end

db/schema_migrations/20200924035825

+d413e19c8ddaba4556cf36a38e03b1c7c46ee7edf7e56692028e066f97605784
\ No newline at end of file

db/structure.sql

@@ -11216,6 +11216,9 @@ CREATE TABLE dast_scanner_profiles (
     spider_timeout smallint,
     target_timeout smallint,
     name text NOT NULL,
+    scan_type smallint DEFAULT 1 NOT NULL,
+    use_ajax_spider boolean DEFAULT false NOT NULL,
+    show_debug_messages boolean DEFAULT false NOT NULL,
     CONSTRAINT check_568568fabf CHECK ((char_length(name) <= 255))
 );
 

doc/api/graphql/reference/gitlab_schema.graphql

@@ -3634,6 +3634,11 @@ type DastOnDemandScanCreatePayload {
 }
 
 enum DastScanTypeEnum {
+  """
+  Active DAST scan. This scan will make active attacks against the target site.
+  """
+  ACTIVE
+
   """
   Passive DAST scan. This scan will not make active attacks against the target site.
   """
@@ -3664,6 +3669,16 @@ type DastScannerProfile {
   """
   profileName: String
 
+  """
+  Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.
+  """
+  scanType: DastScanTypeEnum
+
+  """
+  Indicates if debug messages should be included in DAST console output. True to include the debug messages.
+  """
+  showDebugMessages: Boolean!
+
   """
   The maximum number of minutes allowed for the spider to traverse the site
   """
@@ -3673,6 +3688,13 @@ type DastScannerProfile {
   The maximum number of seconds allowed for the site under test to respond to a request
   """
   targetTimeout: Int
+
+  """
+  Indicates if the AJAX spider should be used to crawl the target site. True to
+  run the AJAX spider in addition to the traditional spider, and false to run
+  only the traditional spider.
+  """
+  useAjaxSpider: Boolean!
 }
 
 """
@@ -3714,6 +3736,16 @@ input DastScannerProfileCreateInput {
   """
   profileName: String!
 
+  """
+  Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.
+  """
+  scanType: DastScanTypeEnum = PASSIVE
+
+  """
+  Indicates if debug messages should be included in DAST console output. True to include the debug messages.
+  """
+  showDebugMessages: Boolean = false
+
   """
   The maximum number of minutes allowed for the spider to traverse the site.
   """
@@ -3723,6 +3755,13 @@ input DastScannerProfileCreateInput {
   The maximum number of seconds allowed for the site under test to respond to a request.
   """
   targetTimeout: Int
+
+  """
+  Indicates if the AJAX spider should be used to crawl the target site. True to
+  run the AJAX spider in addition to the traditional spider, and false to run
+  only the traditional spider.
+  """
+  useAjaxSpider: Boolean = false
 }
 
 """
@@ -3829,6 +3868,16 @@ input DastScannerProfileUpdateInput {
   """
   profileName: String!
 
+  """
+  Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.
+  """
+  scanType: DastScanTypeEnum
+
+  """
+  Indicates if debug messages should be included in DAST console output. True to include the debug messages.
+  """
+  showDebugMessages: Boolean
+
   """
   The maximum number of minutes allowed for the spider to traverse the site.
   """
@@ -3838,6 +3887,13 @@ input DastScannerProfileUpdateInput {
   The maximum number of seconds allowed for the site under test to respond to a request.
   """
   targetTimeout: Int!
+
+  """
+  Indicates if the AJAX spider should be used to crawl the target site. True to
+  run the AJAX spider in addition to the traditional spider, and false to run
+  only the traditional spider.
+  """
+  useAjaxSpider: Boolean
 }
 
 """

doc/api/graphql/reference/gitlab_schema.json

@@ -9839,6 +9839,12 @@
               "description": "Passive DAST scan. This scan will not make active attacks against the target site.",
               "isDeprecated": false,
               "deprecationReason": null
+            },
+            {
+              "name": "ACTIVE",
+              "description": "Active DAST scan. This scan will make active attacks against the target site.",
+              "isDeprecated": false,
+              "deprecationReason": null
             }
           ],
           "possibleTypes": null
@@ -9912,6 +9918,38 @@
               "isDeprecated": false,
               "deprecationReason": null
             },
+            {
+              "name": "scanType",
+              "description": "Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "ENUM",
+                "name": "DastScanTypeEnum",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
+            {
+              "name": "showDebugMessages",
+              "description": "Indicates if debug messages should be included in DAST console output. True to include the debug messages.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "NON_NULL",
+                "name": null,
+                "ofType": {
+                  "kind": "SCALAR",
+                  "name": "Boolean",
+                  "ofType": null
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
             {
               "name": "spiderTimeout",
               "description": "The maximum number of minutes allowed for the spider to traverse the site",
@@ -9939,6 +9977,24 @@
               },
               "isDeprecated": false,
               "deprecationReason": null
+            },
+            {
+              "name": "useAjaxSpider",
+              "description": "Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "NON_NULL",
+                "name": null,
+                "ofType": {
+                  "kind": "SCALAR",
+                  "name": "Boolean",
+                  "ofType": null
+                }
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
             }
           ],
           "inputFields": null,
@@ -10069,6 +10125,36 @@
               },
               "defaultValue": null
             },
+            {
+              "name": "scanType",
+              "description": "Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.",
+              "type": {
+                "kind": "ENUM",
+                "name": "DastScanTypeEnum",
+                "ofType": null
+              },
+              "defaultValue": "PASSIVE"
+            },
+            {
+              "name": "useAjaxSpider",
+              "description": "Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.",
+              "type": {
+                "kind": "SCALAR",
+                "name": "Boolean",
+                "ofType": null
+              },
+              "defaultValue": "false"
+            },
+            {
+              "name": "showDebugMessages",
+              "description": "Indicates if debug messages should be included in DAST console output. True to include the debug messages.",
+              "type": {
+                "kind": "SCALAR",
+                "name": "Boolean",
+                "ofType": null
+              },
+              "defaultValue": "false"
+            },
             {
               "name": "clientMutationId",
               "description": "A unique identifier for the client performing the mutation.",
@@ -10398,6 +10484,36 @@
               },
               "defaultValue": null
             },
+            {
+              "name": "scanType",
+              "description": "Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan.",
+              "type": {
+                "kind": "ENUM",
+                "name": "DastScanTypeEnum",
+                "ofType": null
+              },
+              "defaultValue": null
+            },
+            {
+              "name": "useAjaxSpider",
+              "description": "Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.",
+              "type": {
+                "kind": "SCALAR",
+                "name": "Boolean",
+                "ofType": null
+              },
+              "defaultValue": null
+            },
+            {
+              "name": "showDebugMessages",
+              "description": "Indicates if debug messages should be included in DAST console output. True to include the debug messages.",
+              "type": {
+                "kind": "SCALAR",
+                "name": "Boolean",
+                "ofType": null
+              },
+              "defaultValue": null
+            },
             {
               "name": "clientMutationId",
               "description": "A unique identifier for the client performing the mutation.",

doc/api/graphql/reference/index.md

@@ -592,8 +592,11 @@ Represents a DAST scanner profile.
 | `globalId` | DastScannerProfileID! | ID of the DAST scanner profile |
 | `id` **{warning-solid}** | ID! | **Deprecated:** Use `global_id`. Deprecated in 13.4 |
 | `profileName` | String | Name of the DAST scanner profile |
+| `scanType` | DastScanTypeEnum | Indicates the type of DAST scan that will run. Either a Passive Scan or an Active Scan. |
+| `showDebugMessages` | Boolean! | Indicates if debug messages should be included in DAST console output. True to include the debug messages. |
 | `spiderTimeout` | Int | The maximum number of minutes allowed for the spider to traverse the site |
 | `targetTimeout` | Int | The maximum number of seconds allowed for the site under test to respond to a request |
+| `useAjaxSpider` | Boolean! | Indicates if the AJAX spider should be used to crawl the target site. True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider. |
 
 ### DastScannerProfileCreatePayload
 
@@ -3140,6 +3143,7 @@ Mode of a commit action.
 
 | Value | Description |
 | ----- | ----------- |
+| `ACTIVE` | Active DAST scan. This scan will make active attacks against the target site. |
 | `PASSIVE` | Passive DAST scan. This scan will not make active attacks against the target site. |
 
 ### DastSiteProfileValidationStatusEnum

ee/app/graphql/mutations/dast_scanner_profiles/create.rb

@@ -32,13 +32,38 @@ module Mutations
                 required: false,
                 description: 'The maximum number of seconds allowed for the site under test to respond to a request.'
 
+      argument :scan_type, Types::DastScanTypeEnum,
+                required: false,
+                description: 'Indicates the type of DAST scan that will run. ' \
+                'Either a Passive Scan or an Active Scan.',
+                default_value: 'passive'
+
+      argument :use_ajax_spider, GraphQL::BOOLEAN_TYPE,
+                required: false,
+                description: 'Indicates if the AJAX spider should be used to crawl the target site. ' \
+                'True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.',
+                default_value: false
+
+      argument :show_debug_messages, GraphQL::BOOLEAN_TYPE,
+                required: false,
+                description: 'Indicates if debug messages should be included in DAST console output. ' \
+                'True to include the debug messages.',
+                default_value: false
+
       authorize :create_on_demand_dast_scan
 
-      def resolve(full_path:, profile_name:, spider_timeout: nil, target_timeout: nil)
+      def resolve(full_path:, profile_name:, spider_timeout: nil, target_timeout: nil, scan_type:, use_ajax_spider:, show_debug_messages:)
         project = authorized_find_project!(full_path: full_path)
 
         service = ::DastScannerProfiles::CreateService.new(project, current_user)
-        result = service.execute(name: profile_name, spider_timeout: spider_timeout, target_timeout: target_timeout)
+        result = service.execute(
+          name: profile_name,
+          spider_timeout: spider_timeout,
+          target_timeout: target_timeout,
+          scan_type: scan_type,
+          use_ajax_spider: use_ajax_spider,
+          show_debug_messages: show_debug_messages
+        )
 
         if result.success?
           { id: result.payload.to_global_id, global_id: result.payload.to_global_id, errors: [] }

ee/app/graphql/mutations/dast_scanner_profiles/update.rb

@@ -31,6 +31,21 @@ module Mutations
                 required: true,
                 description: 'The maximum number of seconds allowed for the site under test to respond to a request.'
 
+      argument :scan_type, Types::DastScanTypeEnum,
+                required: false,
+                description: 'Indicates the type of DAST scan that will run. ' \
+                'Either a Passive Scan or an Active Scan.'
+
+      argument :use_ajax_spider, GraphQL::BOOLEAN_TYPE,
+                required: false,
+                description: 'Indicates if the AJAX spider should be used to crawl the target site. ' \
+                'True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.'
+
+      argument :show_debug_messages, GraphQL::BOOLEAN_TYPE,
+                required: false,
+                description: 'Indicates if debug messages should be included in DAST console output. ' \
+                'True to include the debug messages.'
+
       authorize :create_on_demand_dast_scan
 
       def resolve(full_path:, **service_args)

ee/app/graphql/types/dast_scan_type_enum.rb

@@ -2,6 +2,7 @@
 
 module Types
   class DastScanTypeEnum < BaseEnum
-    value 'PASSIVE', description: 'Passive DAST scan. This scan will not make active attacks against the target site.'
+    value 'PASSIVE', value: 'passive', description: 'Passive DAST scan. This scan will not make active attacks against the target site.'
+    value 'ACTIVE', value: 'active', description: 'Active DAST scan. This scan will make active attacks against the target site.'
   end
 end

ee/app/graphql/types/dast_scanner_profile_type.rb

@@ -25,6 +25,18 @@ module Types
     field :target_timeout, GraphQL::INT_TYPE, null: true,
           description: 'The maximum number of seconds allowed for the site under test to respond to a request'
 
+    field :scan_type, Types::DastScanTypeEnum, null: true,
+          description: 'Indicates the type of DAST scan that will run. ' \
+          'Either a Passive Scan or an Active Scan.'
+
+    field :use_ajax_spider, GraphQL::BOOLEAN_TYPE, null: false,
+          description: 'Indicates if the AJAX spider should be used to crawl the target site. ' \
+          'True to run the AJAX spider in addition to the traditional spider, and false to run only the traditional spider.'
+
+    field :show_debug_messages, GraphQL::BOOLEAN_TYPE, null: false,
+          description: 'Indicates if debug messages should be included in DAST console output. ' \
+          'True to include the debug messages.'
+
     field :edit_path, GraphQL::STRING_TYPE, null: true,
           description: 'Relative web path to the edit page of a scanner profile',
           resolve: -> (obj, _args, _ctx) do

ee/app/models/dast_scanner_profile.rb

@@ -7,4 +7,9 @@ class DastScannerProfile < ApplicationRecord
   validates :name, length: { maximum: 255 }, uniqueness: { scope: :project_id }
 
   scope :project_id_in, -> (project_ids) { where(project_id: project_ids) }
+
+  enum scan_type: {
+    passive: 1,
+    active: 2
+  }
 end

ee/app/services/dast_scanner_profiles/create_service.rb

@@ -2,14 +2,17 @@
 
 module DastScannerProfiles
   class CreateService < BaseService
-    def execute(name:, target_timeout:, spider_timeout:)
+    def execute(name:, target_timeout:, spider_timeout:, scan_type:, use_ajax_spider:, show_debug_messages:)
       return ServiceResponse.error(message: 'Insufficient permissions') unless allowed?
 
       dast_scanner_profile = DastScannerProfile.create(
         project: project,
         name: name,
         target_timeout: target_timeout,
-        spider_timeout: spider_timeout
+        spider_timeout: spider_timeout,
+        scan_type: scan_type,
+        use_ajax_spider: use_ajax_spider,
+        show_debug_messages: show_debug_messages
       )
       return ServiceResponse.success(payload: dast_scanner_profile) if dast_scanner_profile.valid?
 

ee/app/services/dast_scanner_profiles/update_service.rb

@@ -4,13 +4,22 @@ module DastScannerProfiles
   class UpdateService < BaseService
     include Gitlab::Allowable
 
-    def execute(id:, profile_name:, target_timeout:, spider_timeout:)
+    def execute(id:, profile_name:, target_timeout:, spider_timeout:, scan_type: nil, use_ajax_spider: nil, show_debug_messages: nil)
       return unauthorized unless can_update_scanner_profile?
 
       dast_scanner_profile = find_dast_scanner_profile(id)
       return ServiceResponse.error(message: "Scanner profile not found for given parameters") unless dast_scanner_profile
 
-      if dast_scanner_profile.update(name: profile_name, target_timeout: target_timeout, spider_timeout: spider_timeout)
+      update_args = {
+        name: profile_name,
+        target_timeout: target_timeout,
+        spider_timeout: spider_timeout
+      }
+      update_args[:scan_type] = scan_type if scan_type
+      update_args[:use_ajax_spider] = use_ajax_spider if use_ajax_spider
+      update_args[:show_debug_messages] = show_debug_messages if show_debug_messages
+
+      if dast_scanner_profile.update(update_args)
         ServiceResponse.success(payload: dast_scanner_profile)
       else
         ServiceResponse.error(message: dast_scanner_profile.errors.full_messages)

ee/spec/graphql/mutations/dast_scanner_profiles/create_spec.rb

@@ -20,7 +20,10 @@ RSpec.describe Mutations::DastScannerProfiles::Create do
     subject do
       mutation.resolve(
         full_path: full_path,
-        profile_name: profile_name
+        profile_name: profile_name,
+        scan_type: DastScannerProfile.scan_types[:passive],
+        use_ajax_spider: false,
+        show_debug_messages: false
       )
     end
 
@@ -52,7 +55,15 @@ RSpec.describe Mutations::DastScannerProfiles::Create do
         result = double('result', success?: false, errors: [])
 
         expect(DastScannerProfiles::CreateService).to receive(:new).and_return(service)
-        expect(service).to receive(:execute).with(name: profile_name, spider_timeout: nil, target_timeout: nil).and_return(result)
+        expected_args = {
+          name: profile_name,
+          spider_timeout: nil,
+          target_timeout: nil,
+          scan_type: DastScannerProfile.scan_types[:passive],
+          show_debug_messages: false,
+          use_ajax_spider: false
+        }
+        expect(service).to receive(:execute).with(expected_args).and_return(result)
 
         subject
       end
@@ -63,7 +74,10 @@ RSpec.describe Mutations::DastScannerProfiles::Create do
 
           response = mutation.resolve(
             full_path: full_path,
-            profile_name: profile_name
+            profile_name: profile_name,
+            scan_type: DastScannerProfile.scan_types[:passive],
+            use_ajax_spider: false,
+            show_debug_messages: false
           )
 
           expect(response[:errors]).to include('Name has already been taken')

ee/spec/graphql/mutations/dast_scanner_profiles/update_spec.rb

@@ -12,6 +12,9 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
   let_it_be(:new_profile_name) { SecureRandom.hex }
   let_it_be(:new_target_timeout) { dast_scanner_profile.target_timeout + 1 }
   let_it_be(:new_spider_timeout) { dast_scanner_profile.spider_timeout + 1 }
+  let_it_be(:new_scan_type) { (DastScannerProfile.scan_types.keys - [DastScannerProfile.last.scan_type]).first }
+  let_it_be(:new_use_ajax_spider) { !dast_scanner_profile.use_ajax_spider }
+  let_it_be(:new_show_debug_messages) { !dast_scanner_profile.show_debug_messages }
 
   subject(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) }
 
@@ -26,7 +29,10 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
         id: scanner_profile_id,
         profile_name: new_profile_name,
         target_timeout: new_target_timeout,
-        spider_timeout: new_spider_timeout
+        spider_timeout: new_spider_timeout,
+        scan_type: new_scan_type,
+        use_ajax_spider: new_use_ajax_spider,
+        show_debug_messages: new_show_debug_messages
       )
     end
 
@@ -60,6 +66,28 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
           project.add_developer(user)
         end
 
+        context 'when the user omits unrequired elements' do
+          subject do
+            mutation.resolve(
+              full_path: full_path,
+              id: scanner_profile_id,
+              profile_name: new_profile_name,
+              target_timeout: new_target_timeout,
+              spider_timeout: new_spider_timeout
+            )
+          end
+
+          it 'does not update those elements' do
+            updated_dast_scanner_profile = subject[:id].find
+
+            aggregate_failures do
+              expect(updated_dast_scanner_profile.scan_type).to eq(dast_scanner_profile.scan_type)
+              expect(updated_dast_scanner_profile.use_ajax_spider).to eq(dast_scanner_profile.use_ajax_spider)
+              expect(updated_dast_scanner_profile.show_debug_messages).to eq(dast_scanner_profile.show_debug_messages)
+            end
+          end
+        end
+
         it 'updates the dast_scanner_profile' do
           dast_scanner_profile = subject[:id].find
 
@@ -67,6 +95,9 @@ RSpec.describe Mutations::DastScannerProfiles::Update do
             expect(dast_scanner_profile.name).to eq(new_profile_name)
             expect(dast_scanner_profile.target_timeout).to eq(new_target_timeout)
             expect(dast_scanner_profile.spider_timeout).to eq(new_spider_timeout)
+            expect(dast_scanner_profile.scan_type).to eq(new_scan_type)
+            expect(dast_scanner_profile.use_ajax_spider).to eq(new_use_ajax_spider)
+            expect(dast_scanner_profile.show_debug_messages).to eq(new_show_debug_messages)
           end
         end
 

ee/spec/graphql/types/dast_scanner_profile_type_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
   let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile) }
   let_it_be(:project) { dast_scanner_profile.project }
   let_it_be(:user) { create(:user) }
-  let_it_be(:fields) { %i[id globalId profileName spiderTimeout targetTimeout editPath] }
+  let_it_be(:fields) { %i[id globalId profileName spiderTimeout targetTimeout editPath scanType useAjaxSpider showDebugMessages] }
 
   let(:response) do
     GitlabSchema.execute(
@@ -47,6 +47,9 @@ RSpec.describe GitlabSchema.types['DastScannerProfile'] do
                 profileName
                 targetTimeout
                 spiderTimeout
+                scanType
+                useAjaxSpider
+                showDebugMessages
               }
             }
           }

ee/spec/requests/api/graphql/mutations/dast_scanner_profiles/create_spec.rb

@@ -31,6 +31,16 @@ RSpec.describe 'Creating a DAST Scanner Profile' do
       expect(mutation_response['globalId']).to eq(dast_scanner_profile.to_global_id.to_s)
     end
 
+    it 'sets default values of omitted properties' do
+      post_graphql_mutation(mutation, current_user: current_user)
+
+      aggregate_failures do
+        expect(dast_scanner_profile.scan_type).to eq('passive')
+        expect(dast_scanner_profile.use_ajax_spider).to eq(false)
+        expect(dast_scanner_profile.show_debug_messages).to eq(false)
+      end
+    end
+
     context 'when dast_scanner_profile exists' do
       before do
         DastScannerProfile.create!(project: project, name: profile_name)

ee/spec/requests/api/graphql/mutations/dast_scanner_profiles/update_spec.rb

@@ -11,6 +11,9 @@ RSpec.describe 'Update a DAST Scanner Profile' do
   let_it_be(:new_profile_name) { SecureRandom.hex }
   let(:new_target_timeout) { dast_scanner_profile.target_timeout + 1 }
   let(:new_spider_timeout) { dast_scanner_profile.spider_timeout + 1 }
+  let(:new_scan_type) { (DastScannerProfile.scan_types.keys - [DastScannerProfile.last.scan_type]).first }
+  let(:new_use_ajax_spider) { !dast_scanner_profile.use_ajax_spider }
+  let(:new_show_debug_messages) { !dast_scanner_profile.show_debug_messages }
 
   let(:mutation_name) { :dast_scanner_profile_update }
   let(:mutation) do
@@ -20,7 +23,10 @@ RSpec.describe 'Update a DAST Scanner Profile' do
       id: dast_scanner_profile.to_global_id.to_s,
       profile_name: new_profile_name,
       target_timeout: new_target_timeout,
-      spider_timeout: new_spider_timeout
+      spider_timeout: new_spider_timeout,
+      scan_type: new_scan_type.upcase,
+      use_ajax_spider: new_use_ajax_spider,
+      show_debug_messages: new_show_debug_messages
     )
   end
 
@@ -40,6 +46,9 @@ RSpec.describe 'Update a DAST Scanner Profile' do
         expect(dast_scanner_profile.name).to eq(new_profile_name)
         expect(dast_scanner_profile.target_timeout).to eq(new_target_timeout)
         expect(dast_scanner_profile.spider_timeout).to eq(new_spider_timeout)
+        expect(dast_scanner_profile.scan_type).to eq(new_scan_type)
+        expect(dast_scanner_profile.use_ajax_spider).to eq(new_use_ajax_spider)
+        expect(dast_scanner_profile.show_debug_messages).to eq(new_show_debug_messages)
       end
     end
 
@@ -65,7 +74,10 @@ RSpec.describe 'Update a DAST Scanner Profile' do
           id: dast_scanner_profile.to_global_id.to_s,
           profile_name: new_profile_name,
           target_timeout: new_target_timeout,
-          spider_timeout: new_spider_timeout
+          spider_timeout: new_spider_timeout,
+          scan_type: new_scan_type.upcase,
+          use_ajax_spider: new_use_ajax_spider,
+          show_debug_messages: new_show_debug_messages
         )
       end
 

ee/spec/requests/api/graphql/mutations/pipelines/run_dast_scan_spec.rb

@@ -10,7 +10,7 @@ RSpec.describe 'Running a DAST Scan' do
   let(:project_path) { project.full_path }
   let(:target_url) { generate(:url) }
   let(:branch) { project.default_branch }
-  let(:scan_type) { Types::DastScanTypeEnum.enum[:passive] }
+  let(:scan_type) { Types::DastScanTypeEnum.enum[:passive].upcase }
 
   let(:mutation) do
     graphql_mutation(

ee/spec/services/dast_scanner_profiles/create_service_spec.rb

@@ -8,6 +8,9 @@ RSpec.describe DastScannerProfiles::CreateService do
   let(:name) { FFaker::Company.catch_phrase }
   let(:target_timeout) { 60 }
   let(:spider_timeout) { 600 }
+  let(:scan_type) { 1 }
+  let(:use_ajax_spider) { true }
+  let(:show_debug_messages) { true }
 
   before do
     stub_licensed_features(security_on_demand_scans: true)
@@ -18,7 +21,10 @@ RSpec.describe DastScannerProfiles::CreateService do
       described_class.new(project, user).execute(
         name: name,
         target_timeout: target_timeout,
-        spider_timeout: spider_timeout
+        spider_timeout: spider_timeout,
+        scan_type: scan_type,
+        use_ajax_spider: use_ajax_spider,
+        show_debug_messages: show_debug_messages
       )
     end
 
@@ -66,6 +72,18 @@ RSpec.describe DastScannerProfiles::CreateService do
         expect { subject }.to change(DastScannerProfile, :count).by(1)
       end
 
+      it 'creates a dast_scanner_profile with the given params' do
+        aggregate_failures do
+          expect(payload).to be_persisted
+          expect(payload.spider_timeout).to eq(spider_timeout)
+          expect(payload.target_timeout).to eq(target_timeout)
+          expect(payload.name).to eq(name)
+          expect(DastScannerProfile.scan_types[payload.scan_type]).to eq(scan_type)
+          expect(payload.use_ajax_spider).to eq(use_ajax_spider)
+          expect(payload.show_debug_messages).to eq(show_debug_messages)
+        end
+      end
+
       it 'returns a dast_scanner_profile payload' do
         expect(payload).to be_a(DastScannerProfile)
       end

ee/spec/services/dast_scanner_profiles/update_service_spec.rb

@@ -12,6 +12,9 @@ RSpec.describe DastScannerProfiles::UpdateService do
   let_it_be(:new_profile_name) { SecureRandom.hex }
   let_it_be(:new_target_timeout) { dast_scanner_profile.target_timeout + 1 }
   let_it_be(:new_spider_timeout) { dast_scanner_profile.spider_timeout + 1 }
+  let_it_be(:new_scan_type) { (DastScannerProfile.scan_types.keys - [DastScannerProfile.last.scan_type]).first }
+  let_it_be(:new_use_ajax_spider) { !dast_scanner_profile.use_ajax_spider }
+  let_it_be(:new_show_debug_messages) { !dast_scanner_profile.show_debug_messages }
 
   before do
     stub_licensed_features(security_on_demand_scans: true)
@@ -23,7 +26,10 @@ RSpec.describe DastScannerProfiles::UpdateService do
         id: dast_scanner_profile_id,
         profile_name: new_profile_name,
         target_timeout: new_target_timeout,
-        spider_timeout: new_spider_timeout
+        spider_timeout: new_spider_timeout,
+        scan_type: new_scan_type,
+        use_ajax_spider: new_use_ajax_spider,
+        show_debug_messages: new_show_debug_messages
       )
     end
 
@@ -53,7 +59,10 @@ RSpec.describe DastScannerProfiles::UpdateService do
           id: dast_scanner_profile.id,
           profile_name: new_profile_name,
           target_timeout: new_target_timeout,
-          spider_timeout: new_spider_timeout
+          spider_timeout: new_spider_timeout,
+          scan_type: new_scan_type,
+          use_ajax_spider: new_use_ajax_spider,
+          show_debug_messages: new_show_debug_messages
         )
       end
 
@@ -67,6 +76,31 @@ RSpec.describe DastScannerProfiles::UpdateService do
         project.add_developer(user)
       end
 
+      context 'when the user omits unrequired elements' do
+        before do
+          project.add_developer(user)
+        end
+
+        subject do
+          described_class.new(project, user).execute(
+            id: dast_scanner_profile_id,
+            profile_name: new_profile_name,
+            target_timeout: new_target_timeout,
+            spider_timeout: new_spider_timeout
+          )
+        end
+
+        it 'does not update those elements' do
+          updated_dast_scanner_profile = payload.reload
+
+          aggregate_failures do
+            expect(updated_dast_scanner_profile.scan_type).to eq(dast_scanner_profile.scan_type)
+            expect(updated_dast_scanner_profile.use_ajax_spider).to eq(dast_scanner_profile.use_ajax_spider)
+            expect(updated_dast_scanner_profile.show_debug_messages).to eq(dast_scanner_profile.show_debug_messages)
+          end
+        end
+      end
+
       it 'returns a success status' do
         expect(status).to eq(:success)
       end
@@ -78,6 +112,9 @@ RSpec.describe DastScannerProfiles::UpdateService do
           expect(updated_dast_scanner_profile.name).to eq(new_profile_name)
           expect(updated_dast_scanner_profile.target_timeout).to eq(new_target_timeout)
           expect(updated_dast_scanner_profile.spider_timeout).to eq(new_spider_timeout)
+          expect(updated_dast_scanner_profile.scan_type).to eq(new_scan_type)
+          expect(updated_dast_scanner_profile.use_ajax_spider).to eq(new_use_ajax_spider)
+          expect(updated_dast_scanner_profile.show_debug_messages).to eq(new_show_debug_messages)
         end
       end