diff options
author | Philippe Lafoucrière <plafoucriere@gitlab.com> | 2019-05-21 00:06:47 +0000 |
---|---|---|
committer | Ash McKenzie <amckenzie@gitlab.com> | 2019-05-21 00:06:47 +0000 |
commit | 37c8f37c56a6726ee0a34a1bfb3679c654b5287e (patch) | |
tree | 9c56db86ca685bc9aa4190f3e512c7a4052cc5de | |
parent | 632b137d06fe447d702a089ba714891b2d8dc561 (diff) | |
download | gitlab-ce-37c8f37c56a6726ee0a34a1bfb3679c654b5287e.tar.gz |
Make env vars consistent
`DAST_TARGET_AVAILABILITY_TIMEOUT` already defaults to 60 in `analyze`
-rw-r--r-- | changelogs/unreleased/10798-remove-dind-req-for-dast.yml | 5 | ||||
-rw-r--r-- | doc/user/application_security/dast/index.md | 5 | ||||
-rw-r--r-- | lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml | 57 |
3 files changed, 26 insertions, 41 deletions
diff --git a/changelogs/unreleased/10798-remove-dind-req-for-dast.yml b/changelogs/unreleased/10798-remove-dind-req-for-dast.yml new file mode 100644 index 00000000000..33545fc7cfd --- /dev/null +++ b/changelogs/unreleased/10798-remove-dind-req-for-dast.yml @@ -0,0 +1,5 @@ +--- +title: Remove dind from DAST template +merge_request: 28083 +author: +type: changed diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md index f3b7d7fd471..abc6e771b0f 100644 --- a/doc/user/application_security/dast/index.md +++ b/doc/user/application_security/dast/index.md @@ -47,10 +47,7 @@ applications while you are developing and testing your applications. ## Requirements To run a DAST job, you need GitLab Runner with the -[`docker`](https://docs.gitlab.com/runner/executors/docker.html#use-docker-in-docker-with-privileged-mode) or -[`kubernetes`](https://docs.gitlab.com/runner/install/kubernetes.html#running-privileged-containers-for-the-runners) -executor running in privileged mode. If you're using the shared Runners on GitLab.com, -this is enabled by default. +[`docker` executor](https://docs.gitlab.com/runner/executors/docker.html). ## Configuring DAST diff --git a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml index fd7fac5dcab..27a498b2daf 100644 --- a/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml @@ -1,4 +1,4 @@ -# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/dast.html +# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dast/ # Configure the scanning tool through the environment variables. # List of the variables: https://gitlab.com/gitlab-org/security-products/dast#settings @@ -12,46 +12,29 @@ stages: dast: stage: dast - image: docker:stable + image: + name: "registry.gitlab.com/gitlab-org/security-products/dast:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable" variables: - DOCKER_DRIVER: overlay2 + # URL to scan: + # DAST_WEBSITE: https://example.com/ + # + # Time limit for target availability (scan is attempted even when timeout): + # DAST_TARGET_AVAILABILITY_TIMEOUT: 60 + # + # Set these variables to scan with an authenticated user: + # DAST_AUTH_URL: https://example.com/sign-in + # DAST_USERNAME: john.doe@example.com + # DAST_PASSWORD: john-doe-password + # DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form + # DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form + # DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional: URLs to skip during the authenticated scan; comma-separated, no spaces in between + # + # Perform ZAP Full Scan, which includes both passive and active scanning: + # DAST_FULL_SCAN_ENABLED: "true" allow_failure: true - services: - - docker:stable-dind script: - export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)} - - export DAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')} - - | - if ! docker info &>/dev/null; then - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then - export DOCKER_HOST='tcp://localhost:2375' - fi - fi - - | - function dast_run() { - docker run \ - --env DAST_FULL_SCAN_ENABLED \ - --env DAST_TARGET_AVAILABILITY_TIMEOUT \ - --volume "$PWD:/output" \ - --volume /var/run/docker.sock:/var/run/docker.sock \ - -w /output \ - "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION" \ - /analyze -t $DAST_WEBSITE \ - "$@" - } - - | - if [ -n "$DAST_AUTH_URL" ] - then - dast_run \ - --auth-url $DAST_AUTH_URL \ - --auth-username $DAST_USERNAME \ - --auth-password $DAST_PASSWORD \ - --auth-username-field $DAST_USERNAME_FIELD \ - --auth-password-field $DAST_PASSWORD_FIELD \ - --auth-exclude-urls $DAST_AUTH_EXCLUDE_URLS - else - dast_run - fi + - /analyze -t $DAST_WEBSITE artifacts: reports: dast: gl-dast-report.json |