Add ZAP Full Scan support to DAST vendored template

8c177986 · Victor Zagorodny · Achilleas Pipinellis · bf01f931 · 8c177986 · 8c177986
Commit 8c177986 authored Apr 26, 2019 by Victor Zagorodny Committed by Achilleas Pipinellis Apr 26, 2019
3 changed files
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -32,9 +32,11 @@ see the details and the URL(s) affected.
 [Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_Application_Security_Testing)
 is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
 to perform an analysis on your running web application.
-Since it is based on [ZAP Baseline](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan),
-DAST will perform passive scanning only; it will not actively attack your application.
+By default, DAST executes [ZAP Baseline Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan) and will perform passive scanning only. It will not actively attack your application.
+However, DAST can be [configured](#full-scan)
+to also perform a so-called "active scan". That is, attack your application and produce a more extensive security report.
 It can be very useful combined with [Review Apps](../../../ci/review_apps/index.md).
 ## Use cases
@@ -98,6 +100,8 @@ There are two ways to define the URL to be scanned by DAST:
 - Set the `DAST_WEBSITE` [variable](../../../ci/yaml/README.md#variables).
 - Add it in an `environment_url.txt` file at the root of your project.
+#### Authenticated scan
 It's also possible to authenticate the user before performing the DAST checks:
 ```yaml
@@ -111,6 +115,7 @@ variables:
  DAST_PASSWORD: john-doe-password
  DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
  DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
+  DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
 ```
 The report will be saved as a
@@ -118,6 +123,19 @@ The report will be saved as a
 that you can later download and analyze.
 Due to implementation limitations, we always take the latest DAST artifact available.
+#### Full scan
+DAST can be configured to perform [ZAP Full Scan](https://github.com/zaproxy/zaproxy/wiki/ZAP-Full-Scan), which
+includes both passive and active scanning against the same target website:
+```yaml
+include:
+  template: DAST.gitlab-ci.yml
+variables:
+  DAST_FULL_SCAN_ENABLED: "true"
+```
 #### Customizing the DAST settings
 The SAST settings can be changed through environment variables by using the

--- a/ee/changelogs/unreleased/7182-add-dast-full-scan-enabled-support.yml
+++ b/ee/changelogs/unreleased/7182-add-dast-full-scan-enabled-support.yml
+---
+title: Added ZAP Full Scan support for DAST
+merge_request: 11269
+author:
+type: added
--- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
@@ -30,6 +30,7 @@ dast:
    - |
      function dast_run() {
        docker run \
+        --env DAST_FULL_SCAN_ENABLED \
        --env DAST_TARGET_AVAILABILITY_TIMEOUT \
        --volume "$PWD:/output" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
@@ -46,7 +47,8 @@ dast:
          --auth-username $DAST_USERNAME \
          --auth-password $DAST_PASSWORD \
          --auth-username-field $DAST_USERNAME_FIELD \
-          --auth-password-field $DAST_PASSWORD_FIELD
+          --auth-password-field $DAST_PASSWORD_FIELD \
+          --auth-exclude-urls $DAST_AUTH_EXCLUDE_URLS
      else
        dast_run
      fi