Update DAST On-demand scan template

The DAST On-demand scan template should be updated to use the API Security scanner

Changelog: changed
MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73564
EE: true

config/feature_flags/development/dast_api_scanner.yml

+---
+name: dast_api_scanner
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73564
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/345837
+milestone: '14.7'
+type: development
+group: group::dynamic analysis
+default_enabled: false

ee/app/services/app_sec/dast/scan_configs/build_service.rb

@@ -44,13 +44,25 @@ module AppSec
         def ci_configuration
           {
             'stages' => [STAGE_NAME],
-            'include' => [{ 'template' => 'Security/DAST-On-Demand-Scan.gitlab-ci.yml' }],
+            'include' => [{ 'template' => dast_template }],
             'dast' => {
               'dast_configuration' => { 'site_profile' => dast_site_profile.name, 'scanner_profile' => dast_scanner_profile&.name }.compact
             }
           }.to_yaml
         end
 
+        def dast_template
+          if should_use_api_scan?
+            'Security/DAST-On-Demand-API-Scan.gitlab-ci.yml'
+          else
+            'Security/DAST-On-Demand-Scan.gitlab-ci.yml'
+          end
+        end
+
+        def should_use_api_scan?
+          Feature.enabled?(:dast_api_scanner, dast_site_profile.project, default_enabled: :yaml) && dast_site_profile.target_type == 'api'
+        end
+
         def dast_profile
           strong_memoize(:dast_profile) do
             params[:dast_profile]

ee/config/metrics/counts_28d/20211118200530_p_ci_templates_security_dast_on_demand_api_scan_monthly.yml

+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_security_dast_on_demand_api_scan_monthly
+name: "dast_on_demand_api_scan"
+description: Count of pipelines using the latest DAST API template
+product_section: sec
+product_stage: secure
+product_group: "group::dynamic analysis"
+product_category: DAST
+value_type: number
+status: active
+milestone: "14.7"
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73564
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+options:
+  events:
+    - p_ci_templates_security_dast_on_demand_api_scan
+performance_indicator_type: []
+distribution:
+- ee
+tier:
+#- premium
+- ultimate

ee/config/metrics/counts_28d/20211122175944_p_ci_templates_implicit_security_dast_on_demand_api_scan_monthly.yml

+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_dast_on_demand_api_scan_monthly
+name: "implicit_security_dast_on_demand_api_scan"
+description: Count of pipelines with implicit runs using the latest DAST API template
+product_section: sec
+product_stage: secure
+product_group: "group::dynamic analysis"
+product_category: DAST
+value_type: number
+status: active
+milestone: "14.7"
+introduced_by_url:
+time_frame: 28d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+options:
+  events:
+    - p_ci_templates_implicit_security_dast_on_demand_api_scan
+performance_indicator_type: []
+distribution:
+- ee
+tier:
+#- premium
+- ultimate

ee/config/metrics/counts_7d/20211118200524_p_ci_templates_security_dast_on_demand_api_scan_weekly.yml

+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_security_dast_on_demand_api_scan_weekly
+name: "dast_on_demand_api_scan"
+description: Count of pipelines using the latest DAST API template
+product_section: sec
+product_stage: secure
+product_group: "group::dynamic analysis"
+product_category: DAST
+value_type: number
+status: active
+milestone: "14.7"
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/73564
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+options:
+  events:
+    - p_ci_templates_security_dast_on_demand_api_scan
+performance_indicator_type: []
+distribution:
+- ee
+tier:
+#- premium
+- ultimate

ee/config/metrics/counts_7d/20211122175938_p_ci_templates_implicit_security_dast_on_demand_api_scan_weekly.yml

+---
+key_path: redis_hll_counters.ci_templates.p_ci_templates_implicit_security_dast_on_demand_api_scan_weekly
+name: "implicit_security_dast_on_demand_api_scan"
+description: Count of pipelines with implicit runs using the latest DAST API template
+product_section: sec
+product_stage: secure
+product_group: "group::dynamic analysis"
+product_category: DAST
+value_type: number
+status: active
+milestone: "14.7"
+introduced_by_url:
+time_frame: 7d
+data_source: redis_hll
+data_category: optional
+instrumentation_class: RedisHLLMetric
+options:
+  events:
+    - p_ci_templates_implicit_security_dast_on_demand_api_scan
+performance_indicator_type: []
+distribution:
+- ee
+tier:
+#- premium
+- ultimate

ee/spec/services/app_sec/dast/scan_configs/build_service_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
   let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
+  let_it_be_with_reload(:dast_site_profile) { create(:dast_site_profile, project: project, target_type: 'website') }
   let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project, spider_timeout: 5, target_timeout: 20) }
   let_it_be(:dast_profile) { create(:dast_profile, project: project, dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile, branch_name: 'master') }
 
@@ -19,6 +19,8 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
   let(:dast_full_scan_enabled) { dast_scanner_profile.full_scan_enabled? }
   let(:dast_use_ajax_spider) { dast_scanner_profile.use_ajax_spider? }
   let(:dast_debug) { dast_scanner_profile.show_debug_messages? }
+  let(:on_demand_scan_template) { 'Security/DAST-On-Demand-Scan.gitlab-ci.yml' }
+  let(:api_scan_template) { 'Security/DAST-On-Demand-API-Scan.gitlab-ci.yml' }
 
   let(:params) { { dast_site_profile: dast_site_profile, dast_scanner_profile: dast_scanner_profile } }
 
@@ -28,7 +30,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
       stages:
       - dast
       include:
-        - template: Security/DAST-On-Demand-Scan.gitlab-ci.yml
+      - template: #{template}
       dast:
         dast_configuration:
           site_profile: #{dast_site_profile.name}
@@ -39,6 +41,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
   subject { described_class.new(container: project, params: params).execute }
 
   describe 'execute' do
+    shared_examples 'build service execute tests' do
       context 'when a dast_profile is provided' do
         let(:params) { { dast_profile: dast_profile } }
 
@@ -92,7 +95,7 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
                 stages:
                 - dast
                 include:
-            - template: Security/DAST-On-Demand-Scan.gitlab-ci.yml
+                - template: #{template}
                 dast:
                   dast_configuration:
                     site_profile: #{dast_site_profile.name}
@@ -120,4 +123,33 @@ RSpec.describe AppSec::Dast::ScanConfigs::BuildService do
         end
       end
     end
+
+    context 'when feature flag dast_api_scanner is disabled' do
+      let(:template) { on_demand_scan_template }
+
+      before do
+        stub_feature_flags(dast_api_scanner: false)
+      end
+
+      it_behaves_like 'build service execute tests'
+    end
+
+    context 'when feature flag dast_api_scanner is enabled' do
+      context 'when the target_type is api' do
+        before do
+          dast_site_profile.target_type = 'api'
+        end
+
+        let(:template) { api_scan_template }
+
+        it_behaves_like 'build service execute tests'
+      end
+
+      context 'when the target_type is NOT api' do
+        let(:template) { on_demand_scan_template }
+
+        it_behaves_like 'build service execute tests'
+      end
+    end
+  end
 end

lib/gitlab/ci/templates/Security/DAST-On-Demand-API-Scan.gitlab-ci.yml

+stages:
+  - build
+  - test
+  - deploy
+  - dast
+
+variables:
+  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
+  DAST_API_VERSION: "1"
+  DAST_API_IMAGE: $SECURE_ANALYZERS_PREFIX/api-fuzzing:$DAST_API_VERSION
+
+dast:
+  stage: dast
+  image: $DAST_API_IMAGE
+  variables:
+    GIT_STRATEGY: none
+  allow_failure: true
+  script:
+    - /peach/analyzer-dast-api
+  artifacts:
+    when: always
+    paths:
+      - gl-assets
+      - gl-dast-api-report.json
+      - gl-*.log
+    reports:
+      dast: gl-dast-api-report.json

lib/gitlab/usage_data_counters/known_events/ci_templates.yml

@@ -103,6 +103,10 @@
   category: ci_templates
   redis_slot: ci_templates
   aggregation: weekly
+- name: p_ci_templates_security_dast_on_demand_api_scan
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_security_coverage_fuzzing
   category: ci_templates
   redis_slot: ci_templates
@@ -539,6 +543,10 @@
   category: ci_templates
   redis_slot: ci_templates
   aggregation: weekly
+- name: p_ci_templates_implicit_security_dast_on_demand_api_scan
+  category: ci_templates
+  redis_slot: ci_templates
+  aggregation: weekly
 - name: p_ci_templates_implicit_security_coverage_fuzzing
   category: ci_templates
   redis_slot: ci_templates