.dast_conf:
  tags:
    - prm
  # For scheduling dast job
  extends:
    - .reports:rules:schedule-dast
  image:
    name: "${CI_TEMPLATE_REGISTRY_HOST}/security-products/dast:$DAST_VERSION"
  resource_group: dast_scan
  variables:
    DAST_USERNAME_FIELD: "name:user[login]"
    DAST_PASSWORD_FIELD: "name:user[password]"
    DAST_SUBMIT_FIELD: "css:.js-sign-in-button"
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_VERSION: 3
    GIT_STRATEGY: none
    # -Xmx is used to set the JVM memory to 6GB to prevent DAST OutOfMemoryError.
    DAST_ZAP_CLI_OPTIONS: "-Xmx6144m"
  before_script:
    - 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"'
    - 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"'
    - 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"'
    # Help pages are excluded from scan as they are static pages.
    # profile/two_factor_auth is excluded from scan to prevent 2FA from being turned on from user profile, which will reduce coverage.
    - 'DAST_EXCLUDE_URLS="${DAST_WEBSITE}/help/.*,${DAST_WEBSITE}/-/profile/two_factor_auth,${DAST_WEBSITE}/users/sign_out"'
    # Exclude the automatically generated monitoring project from being tested due to https://gitlab.com/gitlab-org/gitlab/-/issues/260362
    - 'export DAST_EXCLUDE_URLS="${DAST_EXCLUDE_URLS},${DAST_WEBSITE}/gitlab-instance-.*"'
  needs: ["review-deploy"]
  stage: dast
  # Default job timeout set to 90m and dast rules needs 2h to so that it won't timeout.
  timeout: 3h
  # Add retry because of intermittent connection problems. See https://gitlab.com/gitlab-org/gitlab/-/issues/244313
  retry: 1
  artifacts:
    paths:
      - gl-dast-report.json  # GitLab-specific
    reports:
      dast: gl-dast-report.json
    expire_in: 1 week  # GitLab-specific
  allow_failure: true

# DAST scan with a subset of Release scan rules.
# ZAP rule details can be found at https://www.zaproxy.org/docs/alerts/

dast:anti-clickjacking-header:
  extends:
    - .dast_conf
  variables:
    DAST_USERNAME: "user1"
    DAST_ONLY_INCLUDE_RULES: "10020"
  script:
    - /analyze

dast:xss-persistant:
  extends:
    - .dast_conf
  variables:
    DAST_USERNAME: "user2"
    DAST_ONLY_INCLUDE_RULES: "40014"
  script:
    - /analyze

dast:insecure-http-method:
  extends:
    - .dast_conf
  variables:
    DAST_USERNAME: "user3"
    DAST_ONLY_INCLUDE_RULES: "90028"
  script:
    - /analyze

dast:server-side-template-inj:
  extends:
    - .dast_conf
  variables:
    DAST_USERNAME: "user4"
    DAST_ONLY_INCLUDE_RULES: "90035"
  script:
    - /analyze

dast:server-side-template-inj-blind:
  extends:
    - .dast_conf
  variables:
    DAST_USERNAME: "user5"
    DAST_ONLY_INCLUDE_RULES: "90035"
  script:
    - /analyze

dast:session-fixation:
  extends:
    - .dast_conf
  variables:
    DAST_USERNAME: "user6"
    DAST_ONLY_INCLUDE_RULES: "40013"
  script:
    - /analyze

dast:xss-dombased:
  extends:
    - .dast_conf
  variables:
    DAST_USERNAME: "user10"
    DAST_ONLY_INCLUDE_RULES: "40026"
  script:
    - /analyze