Commit 3d9f7a44 authored by Nick Gaskill's avatar Nick Gaskill

Merge branch...

Merge branch '235447-dast-scanner-profile-library-implementation-iteration-1-add-documentation' into 'master'

Add documentation updates and enable on-demand scanner profiles feature flag per default

See merge request gitlab-org/gitlab!41950
parents c111b44c 86f6d6f4
...@@ -643,7 +643,72 @@ To delete an existing site profile: ...@@ -643,7 +643,72 @@ To delete an existing site profile:
1. Click **Manage** in the **DAST Profiles** row. 1. Click **Manage** in the **DAST Profiles** row.
1. Click **{remove}** in the row of the profile to delete. 1. Click **{remove}** in the row of the profile to delete.
## On-Demand Scans ## Scanner profile
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/222767) in GitLab 13.4.
> - [Deployed behind a feature flag](../../feature_flags.md), enabled by default.
> - Enabled on GitLab.com.
> - Can be enabled or disabled per-project.
> - Recommended for production use.
> - For GitLab self-managed instances, GitLab administrators can [disable this feature](#enable-or-disable-dast-scanner-profiles).
A scanner profile defines the scanner settings used to run an on-demand scan:
- **Profile name:** A name you give the scanner profile. For example, "Spider_15".
- **Spider timeout:** The maximum number of minutes allowed for the spider to traverse the site.
- **Target timeout:** The maximum number of seconds DAST waits for the site to be available before
starting the scan.
### Create a scanner profile
To create a scanner profile:
1. From your project's home page, go to **Security & Compliance > Configuration**.
1. Click **Manage** in the **DAST Profiles** row.
1. Click **New Profile > Scanner Profile**.
1. Enter a unique **Profile name**, the desired **Spider timeout**, and the **Target timeout**.
1. Click **Save profile**.
### Edit a scanner profile
To edit a scanner profile:
1. From your project's home page, go to **Security & Compliance > Configuration**.
1. Click **Manage** in the **DAST Profiles** row.
1. Click **Edit** in the scanner profile's row.
### Delete a scanner profile
To delete a scanner profile:
1. From your project's home page, go to **Security & Compliance > Configuration**.
1. Click **Manage** in the **DAST Profiles** row.
1. Click **{remove}** in the scanner profile's row.
### Enable or disable DAST scanner profiles
The scanner profile feature is ready for production use. It's deployed behind a feature flag that
is **enabled by default**. [GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can opt to disable it.
To disable it:
```ruby
# Instance-wide
Feature.disable(:security_on_demand_scans_scanner_profiles)
# or by project
Feature.disable(:security_on_demand_scans_scanner_profiles, Project.find(<project id>))
```
To enable it:
```ruby
# Instance-wide
Feature.enable(:security_on_demand_scans_scanner_profiles)
# or by project
Feature.enable(:security_on_demand_scans_scanner_profiles, Project.find(<project ID>))
```
## On-demand scans
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218465) in GitLab 13.2. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218465) in GitLab 13.2.
> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/218465) in GitLab 13.3. > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/218465) in GitLab 13.3.
...@@ -652,37 +717,46 @@ To delete an existing site profile: ...@@ -652,37 +717,46 @@ To delete an existing site profile:
> - It's able to be enabled or disabled per-project. > - It's able to be enabled or disabled per-project.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-on-demand-scans). > - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-on-demand-scans).
You can run a passive DAST scan against a target website, outside the DevOps life cycle. These scans An on-demand DAST scan runs outside the DevOps life cycle. Changes in your repository don't trigger
are always associated with the default branch of your project and the results are available in the the scan. You must start it manually.
project's dashboard. An on-demand DAST scan has a fixed timeout of 60 seconds.
An on-demand DAST scan:
### Run an on-demand scan - Uses settings in the site profile and scanner profile you select when you run the scan,
instead of those in the `.gitlab-ci.yml` file.
- Is associated with your project's default branch.
### Run an on-demand DAST scan
NOTE: **Note:** NOTE: **Note:**
You must have permission to run an on-demand DAST scan against a protected branch. You must have permission to run an on-demand DAST scan against a protected branch.
The default branch is automatically protected. For more details, see [Pipeline security on protected branches](../../../ci/pipelines/index.md#pipeline-security-on-protected-branches). The default branch is automatically protected. For more details, see [Pipeline security on protected branches](../../../ci/pipelines/index.md#pipeline-security-on-protected-branches).
To run an on-demand scan, you need a site profile for the target URL. To run an on-demand DAST scan, you need:
- A [scanner profile](#create-a-scanner-profile).
- A [site profile](#create-a-site-profile).
1. From your project's home page, go to **Security & Compliance > On-demand Scans** in the left sidebar. 1. From your project's home page, go to **Security & Compliance > On-demand Scans** in the left sidebar.
1. Click **Create new DAST scan**. 1. Click **Create new DAST scan**.
1. Select a site profile from the profiles dropdown. 1. In **Scanner settings**, select a scanner profile from the dropdown.
1. In **Site profiles**, select a site profile from the dropdown.
1. Click **Run scan**. 1. Click **Run scan**.
The on-demand scan runs and the project's dashboard shows the results. The on-demand DAST scan runs and the project's dashboard shows the results.
### Enable or disable On-demand Scans ### Enable or disable On-demand Scans
On-demand Scans is enabled by default. You can disable On-demand Scans The On-demand DAST Scans feature is enabled by default. You can disable on-demand scans
instance-wide, or disable it for specific projects if you prefer. instance-wide, or disable it for specific projects if you prefer.
Use of On-demand Scans requires the `security_on_demand_scans_feature_flag` To run on-demand DAST scans, an administrator must enable the
feature flag enabled. `security_on_demand_scans_feature_flag` feature flag.
[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) [GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
can disable or enable the feature flags. can disable or enable the feature flags.
To disable On-demand Scans: To disable On-demand DAST Scans:
```ruby ```ruby
# Instance-wide # Instance-wide
...@@ -691,7 +765,7 @@ Feature.disable(:security_on_demand_scans_feature_flag) ...@@ -691,7 +765,7 @@ Feature.disable(:security_on_demand_scans_feature_flag)
Feature.disable(:security_on_demand_scans_feature_flag, Project.find(<project id>)) Feature.disable(:security_on_demand_scans_feature_flag, Project.find(<project id>))
``` ```
To enable On-demand Scans: To enable On-demand DAST Scans:
```ruby ```ruby
# Instance-wide # Instance-wide
......
...@@ -4,7 +4,7 @@ module Projects ...@@ -4,7 +4,7 @@ module Projects
class DastProfilesController < Projects::ApplicationController class DastProfilesController < Projects::ApplicationController
before_action :authorize_read_on_demand_scans! before_action :authorize_read_on_demand_scans!
before_action do before_action do
push_frontend_feature_flag(:security_on_demand_scans_scanner_profiles, project, default_enabled: false) push_frontend_feature_flag(:security_on_demand_scans_scanner_profiles, project, default_enabled: true)
end end
def index def index
......
...@@ -4,7 +4,7 @@ module Projects ...@@ -4,7 +4,7 @@ module Projects
class OnDemandScansController < Projects::ApplicationController class OnDemandScansController < Projects::ApplicationController
before_action do before_action do
authorize_read_on_demand_scans! authorize_read_on_demand_scans!
push_frontend_feature_flag(:security_on_demand_scans_scanner_profiles) push_frontend_feature_flag(:security_on_demand_scans_scanner_profiles, project, default_enabled: true)
end end
def index def index
......
---
title: Enable on-demand DAST scans scanner-profiles flag by default
merge_request: 41950
author:
type: added
...@@ -4,4 +4,4 @@ introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/39250 ...@@ -4,4 +4,4 @@ introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/39250
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/235545 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/235545
group: group::dynamic analysis group: group::dynamic analysis
type: development type: development
default_enabled: false default_enabled: true
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment