Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
31ea2159
Commit
31ea2159
authored
Apr 15, 2021
by
Russell Dickenson
Committed by
Evan Read
Apr 15, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Clarify DAST host override warnings
parent
d140c45f
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
11 additions
and
11 deletions
+11
-11
doc/user/application_security/dast/index.md
doc/user/application_security/dast/index.md
+11
-11
No files found.
doc/user/application_security/dast/index.md
View file @
31ea2159
...
...
@@ -164,7 +164,7 @@ stages:
-
build
-
dast
include
:
include
:
-
template
:
DAST.gitlab-ci.yml
# Deploys the container to the GitLab container registry
...
...
@@ -469,16 +469,14 @@ variables:
#### Import API specification from a file
If your API specification is in your repository, you can provide the specification's
filename directly as the target. The specification file is expected to be in the
`/zap/wrk`
directory.
If your API specification file is in your repository, you can provide its filename as the target.
The API specification file must be in the
`/zap/wrk`
directory.
```
yaml
dast
:
script
:
before_
script
:
-
mkdir -p /zap/wrk
-
cp api-specification.yml /zap/wrk/api-specification.yml
-
/analyze -t $DAST_WEBSITE
variables
:
GIT_STRATEGY
:
fetch
DAST_API_SPECIFICATION
:
api-specification.yml
...
...
@@ -496,6 +494,12 @@ host referenced may be different than the host of the API's review instance.
This can cause incorrect URLs to be imported, or a scan on an incorrect host.
Use the
`DAST_API_HOST_OVERRIDE`
CI/CD variable to override these values.
WARNING:
When using the API host override feature, you cannot use the
`$DAST_WEBSITE`
variable to override the hostname.
A host override is _only_ supported when importing the API specification from a URL. Attempts to override the
host throw an error when the API specification is imported from a file. This is due to a limitation in the
ZAP OpenAPI extension.
For example, with a OpenAPI V3 specification containing:
```
yaml
...
...
@@ -515,10 +519,6 @@ variables:
DAST_API_HOST_OVERRIDE
:
api-test.host.com
```
Note that using a host override is ONLY supported when importing the API specification from a URL.
It doesn't work and is ignored when importing the specification from a file. This is due to a
limitation in the ZAP OpenAPI extension.
#### Authentication using headers
Tokens in request headers are often used as a way to authenticate API requests.
...
...
@@ -963,7 +963,7 @@ follows:
-
_Header validation_ requires the header
`Gitlab-On-Demand-DAST`
be added to the target site,
with a value unique to the project. The validation process checks that the header is present, and
checks its value.
Both methods are equivalent in functionality. Use whichever is feasible.
#### Create a site profile
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment