Problems with GitLab DAST OpenAPI Specs

I’m trying to set up DAST on GitLab 14.0.5-ee and so far I have encountered two problems that block me:

When I use

    DAST_API_SPECIFICATION: "api.yaml"

I get the error message

InvalidAPISpecificationError: Target must be either a valid URL or a local file, file does not exist: /zap/wrk/api.yaml

The GitLab docs Dynamic Application Security Testing (DAST) | GitLab tell me it is "Deprecated in GitLab 13.12 and replaced by DAST_API_OPENAPI". But if I use DAST_API_OPENAPI it errors out with

Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set.

If I set both DAST_API_OPENAPI and DAST_API_SPECIFICATION I’m back to “file does not exist: /zap/wrk/api.yaml”

So my questions, for now, are:

  • How to submit an OpenAPI specification as a file in the repository?
  • What’s up with the documentation regarding DAST_API_OPENAPI? Should I even use it?

My full CI configuration for the dast stage is:

dast:
  needs:
    - pre-dast
  rules:
    - if: '"$CI_PIPELINE_SOURCE" != "schedule"'
  variables:
    GIT_STRATEGY: "clone"
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_API_TARGET_URL: "https://localhost:5553/"  # bear with me, I know I'll have to change this 
    DAST_API_SPECIFICATION: "api.yaml"
    DAST_API_OPENAPI: "api.yaml"
    DAST_DEBUG: "true"