I’m trying to set up DAST on GitLab 14.0.5-ee and so far I have encountered two problems that block me:
When I use
DAST_API_SPECIFICATION: "api.yaml"
I get the error message
InvalidAPISpecificationError: Target must be either a valid URL or a local file, file does not exist: /zap/wrk/api.yaml
The GitLab docs Dynamic Application Security Testing (DAST) | GitLab tell me it is "Deprecated in GitLab 13.12 and replaced by DAST_API_OPENAPI". But if I use DAST_API_OPENAPI it errors out with
Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set.
If I set both DAST_API_OPENAPI and DAST_API_SPECIFICATION I’m back to “file does not exist: /zap/wrk/api.yaml”
So my questions, for now, are:
- How to submit an OpenAPI specification as a file in the repository?
- What’s up with the documentation regarding
DAST_API_OPENAPI? Should I even use it?
My full CI configuration for the dast stage is:
dast:
needs:
- pre-dast
rules:
- if: '"$CI_PIPELINE_SOURCE" != "schedule"'
variables:
GIT_STRATEGY: "clone"
DAST_FULL_SCAN_ENABLED: "true"
DAST_API_TARGET_URL: "https://localhost:5553/" # bear with me, I know I'll have to change this
DAST_API_SPECIFICATION: "api.yaml"
DAST_API_OPENAPI: "api.yaml"
DAST_DEBUG: "true"