Merge branch 'pin-dast-to-major-version' into 'master'

Pin to the major version of DAST

Closes #33364

See merge request gitlab-org/gitlab!22371

doc/user/application_security/dast/index.md

@@ -103,6 +103,10 @@ always take the latest DAST artifact available. Behind the scenes, the
 [GitLab DAST Docker image](https://gitlab.com/gitlab-org/security-products/dast)
 is used to run the tests on the specified URL and scan it for possible vulnerabilities.
 
+By default, the DAST template will use the latest major version of the DAST Docker image. Using the `DAST_VERSION` variable,
+you can choose to automatically update DAST with new features and fixes by pinning to a major version (e.g. 1), only update fixes by pinning to a minor version (e.g. 1.6) or prevent all updates by pinning to a specific version (e.g. 1.6.4).
+Find the latest DAST versions on the [Releases](https://gitlab.com/gitlab-org/security-products/dast/-/releases) page.
+
 ### Authenticated scan
 
 It's also possible to authenticate the user before performing the DAST checks:

ee/changelogs/unreleased/pin-dast-to-major-version.yml

+---
+title: DAST vendored template pins DAST to latest major version
+merge_request: 22371
+author:
+type: changed

lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml

@@ -10,10 +10,13 @@ stages:
   - deploy
   - dast
 
+variables:
+  DAST_VERSION: 1
+
 dast:
   stage: dast
   image:
-    name: "registry.gitlab.com/gitlab-org/security-products/dast:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable"
+    name: "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION"
   variables:
   # URL to scan:
   # DAST_WEBSITE: https://example.com/