# Read more about this feature here: https://docs.gitlab.com/ee/user/project/merge_requests/dast.html

# Configure the scanning tool through the environment variables.
# List of the variables: https://gitlab.com/gitlab-org/security-products/dast#settings
# How to set: https://docs.gitlab.com/ee/ci/yaml/#variables

stages:
  - build
  - test
  - deploy
  - dast

dast:
  stage: dast
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}
    - export DAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
    - |
      if ! docker info &>/dev/null; then
        if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then
          export DOCKER_HOST='tcp://localhost:2375'
        fi
      fi
    - |
      function dast_run() {
        docker run \
        --env DAST_TARGET_AVAILABILITY_TIMEOUT \
        --volume "$PWD:/output" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        -w /output \
        "registry.gitlab.com/gitlab-org/security-products/dast:$DAST_VERSION" \
        /analyze -t $DAST_WEBSITE \
        "$@"
      }
    - |
      if [ -n "$DAST_AUTH_URL" ]
      then
        dast_run \
          --auth-url $DAST_AUTH_URL \
          --auth-username $DAST_USERNAME \
          --auth-password $DAST_PASSWORD \
          --auth-username-field $DAST_USERNAME_FIELD \
          --auth-password-field $DAST_PASSWORD_FIELD
      else
        dast_run
      fi
  artifacts:
    reports:
      dast: gl-dast-report.json
  only:
    refs:
      - branches
    variables:
      - $GITLAB_FEATURES =~ /\bdast\b/
  except:
    variables:
      - $DAST_DISABLED