I’m trying to set up DAST on GitLab 14.0.5-ee and so far I have encountered two problems that block me:
When I use
I get the error message
InvalidAPISpecificationError: Target must be either a valid URL or a local file, file does not exist: /zap/wrk/api.yaml
The GitLab docs Dynamic Application Security Testing (DAST) | GitLab tell me it is "Deprecated in GitLab 13.12 and replaced by
DAST_API_OPENAPI". But if I use
DAST_API_OPENAPI it errors out with
Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set.
If I set both
DAST_API_SPECIFICATION I’m back to “file does not exist: /zap/wrk/api.yaml”
So my questions, for now, are:
- How to submit an OpenAPI specification as a file in the repository?
- What’s up with the documentation regarding
DAST_API_OPENAPI? Should I even use it?
My full CI configuration for the dast stage is:
dast: needs: - pre-dast rules: - if: '"$CI_PIPELINE_SOURCE" != "schedule"' variables: GIT_STRATEGY: "clone" DAST_FULL_SCAN_ENABLED: "true" DAST_API_TARGET_URL: "https://localhost:5553/" # bear with me, I know I'll have to change this DAST_API_SPECIFICATION: "api.yaml" DAST_API_OPENAPI: "api.yaml" DAST_DEBUG: "true"