Merge branch 'da-mask-credentials' into 'master'

Add instructions for masking credentials See merge request gitlab-org/gitlab!32948

Merge branch 'da-mask-credentials' into 'master'
Add instructions for masking credentials See merge request gitlab-org/gitlab!32948
b429e57b · Russell Dickenson · 77aa6604 · 63d34af0 · b429e57b
Commit b429e57b authored May 27, 2020 by Russell Dickenson
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 3 deletions

doc/user/application_security/dast/index.md doc/user/application_security/dast/index.md +8 -3

No files found.
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -145,7 +145,14 @@ the site during a scan could lead to inaccurate results.

 ### Authentication

-It's also possible to authenticate the user before performing the DAST checks:
+It's also possible to authenticate the user before performing the DAST checks.
+
+Create masked variables to pass the credentials that DAST will use.
+To create masked variables for the username and password, see [Create a custom variable in the UI](../../../ci/variables/README.md#create-a-custom-variable-in-the-ui).
+Note that the key of the username variable must be `DAST_USERNAME`
+and the key of the password variable must be `DAST_PASSWORD`.
+
+Other variables that are related to authenticated scans are:

 ```yaml
 include:
@@ -154,8 +161,6 @@ include:
 variables:
  DAST_WEBSITE: https://example.com
  DAST_AUTH_URL: https://example.com/sign-in
-  DAST_USERNAME: john.doe@example.com
-  DAST_PASSWORD: john-doe-password
  DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
  DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
  DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between