Enable DAST on-demand API scan support by default [RUN ALL RSPEC] [RUN AS-IF-FOSS]

config/feature_flags/development/security_dast_site_profiles_api_option.yml

@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/325130
 milestone: '13.12'
 type: development
 group: group::dynamic analysis
-default_enabled: false
+default_enabled: true

doc/user/application_security/dast/index.md

@@ -978,6 +978,7 @@ required for an on-demand DAST scan.
 A site profile contains the following:
 
 - **Profile name**: A name you assign to the site to be scanned.
+- **Site type**: The type of target to be scanned, either website or API scan.
 - **Target URL**: The URL that DAST runs against.
 - **Excluded URLs**: A comma-separated list of URLs to exclude from the scan.
 - **Request headers**: A comma-separated list of HTTP request headers, including names and values. These headers are added to every request made by DAST.
@@ -988,6 +989,8 @@ A site profile contains the following:
   - **Username form field**: The name of username field at the sign-in HTML form.
   - **Password form field**: The name of password field at the sign-in HTML form.
 
+When an API site type is selected, a [host override](#host-override) is used to ensure the API being scanned is on the same host as the target. This is done to reduce the risk of running an active scan against the wrong API.
+
 #### Site profile validation
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/233020) in GitLab 13.8.

ee/changelogs/unreleased/philipcunningham-enable-dast-on-demand-api-support-325130.yml

+---
+title: Enable DAST on-demand API scan support by default
+merge_request: 60876
+author:
+type: added