107 lines
2.9 KiB
YAML
107 lines
2.9 KiB
YAML
.dast_conf:
|
|
tags:
|
|
- prm
|
|
# For scheduling dast job
|
|
extends:
|
|
- .reports:rules:schedule-dast
|
|
image:
|
|
name: "${CI_TEMPLATE_REGISTRY_HOST}/security-products/dast:$DAST_VERSION"
|
|
resource_group: dast_scan
|
|
variables:
|
|
DAST_USERNAME_FIELD: "name:user[login]"
|
|
DAST_PASSWORD_FIELD: "name:user[password]"
|
|
DAST_SUBMIT_FIELD: "css:.js-sign-in-button"
|
|
DAST_FULL_SCAN_ENABLED: "true"
|
|
DAST_VERSION: 3
|
|
GIT_STRATEGY: none
|
|
# -Xmx is used to set the JVM memory to 6GB to prevent DAST OutOfMemoryError.
|
|
DAST_ZAP_CLI_OPTIONS: "-Xmx6144m"
|
|
before_script:
|
|
- 'export DAST_WEBSITE="${DAST_WEBSITE:-$(cat environment_url.txt)}"'
|
|
- 'export DAST_AUTH_URL="${DAST_WEBSITE}/users/sign_in"'
|
|
- 'export DAST_PASSWORD="${REVIEW_APPS_ROOT_PASSWORD}"'
|
|
# Help pages are excluded from scan as they are static pages.
|
|
# profile/two_factor_auth is excluded from scan to prevent 2FA from being turned on from user profile, which will reduce coverage.
|
|
- 'DAST_EXCLUDE_URLS="${DAST_WEBSITE}/help/.*,${DAST_WEBSITE}/-/profile/two_factor_auth,${DAST_WEBSITE}/users/sign_out"'
|
|
# Exclude the automatically generated monitoring project from being tested due to https://gitlab.com/gitlab-org/gitlab/-/issues/260362
|
|
- 'export DAST_EXCLUDE_URLS="${DAST_EXCLUDE_URLS},${DAST_WEBSITE}/gitlab-instance-.*"'
|
|
needs: ["review-deploy"]
|
|
stage: dast
|
|
# Default job timeout set to 90m and dast rules needs 2h to so that it won't timeout.
|
|
timeout: 3h
|
|
# Add retry because of intermittent connection problems. See https://gitlab.com/gitlab-org/gitlab/-/issues/244313
|
|
retry: 1
|
|
artifacts:
|
|
paths:
|
|
- gl-dast-report.json # GitLab-specific
|
|
reports:
|
|
dast: gl-dast-report.json
|
|
expire_in: 1 week # GitLab-specific
|
|
allow_failure: true
|
|
|
|
# DAST scan with a subset of Release scan rules.
|
|
# ZAP rule details can be found at https://www.zaproxy.org/docs/alerts/
|
|
|
|
dast:anti-clickjacking-header:
|
|
extends:
|
|
- .dast_conf
|
|
variables:
|
|
DAST_USERNAME: "user1"
|
|
DAST_ONLY_INCLUDE_RULES: "10020"
|
|
script:
|
|
- /analyze
|
|
|
|
dast:xss-persistant:
|
|
extends:
|
|
- .dast_conf
|
|
variables:
|
|
DAST_USERNAME: "user2"
|
|
DAST_ONLY_INCLUDE_RULES: "40014"
|
|
script:
|
|
- /analyze
|
|
|
|
dast:insecure-http-method:
|
|
extends:
|
|
- .dast_conf
|
|
variables:
|
|
DAST_USERNAME: "user3"
|
|
DAST_ONLY_INCLUDE_RULES: "90028"
|
|
script:
|
|
- /analyze
|
|
|
|
dast:server-side-template-inj:
|
|
extends:
|
|
- .dast_conf
|
|
variables:
|
|
DAST_USERNAME: "user4"
|
|
DAST_ONLY_INCLUDE_RULES: "90035"
|
|
script:
|
|
- /analyze
|
|
|
|
dast:server-side-template-inj-blind:
|
|
extends:
|
|
- .dast_conf
|
|
variables:
|
|
DAST_USERNAME: "user5"
|
|
DAST_ONLY_INCLUDE_RULES: "90035"
|
|
script:
|
|
- /analyze
|
|
|
|
dast:session-fixation:
|
|
extends:
|
|
- .dast_conf
|
|
variables:
|
|
DAST_USERNAME: "user6"
|
|
DAST_ONLY_INCLUDE_RULES: "40013"
|
|
script:
|
|
- /analyze
|
|
|
|
dast:xss-dombased:
|
|
extends:
|
|
- .dast_conf
|
|
variables:
|
|
DAST_USERNAME: "user10"
|
|
DAST_ONLY_INCLUDE_RULES: "40026"
|
|
script:
|
|
- /analyze
|