Hello, We are trying to implement a CI/CD pipeline for our web project. This project consists of some dependent web/api applications. So it is not an easy task to create temporary environments for each feature branch. Now we have below branches and environments:
Development environment: developers check their running code here before sending merge request.
Test environment: UI tests are done here after merge request approved.
Production environment: this is where deployment is done after UI tests passed successfully.
Feature branches: developers write their code on feature branches which are initiated from production branch. When they send their code to remote, a pipeline runs and builds the code, runs unit tests, runs SAST jobs. But as these feature branches are not deployed to anywhere cannot run DAST for these branches.
Development branch: developers merges their feature branches into development branch, and their code is deployed via pipeline to development environment, and DAST can scan at the end of this pipeline.
Test branch: developers send merge request to test branch, maintainer code reviews, checks security tab on merge request and later if there is no problems he/she approves merge request. Matter is that, security tab only includes SAST security scans which run on feature branch, but not the DAST scan which run on development branch.
Production branch: after UI tests finished by human control we merge feature branches to production branch and run pipeline for this branch to deploy code to production environment.
So we wonder is there any possibility to add this DAST report to merge mequest’s security tab in this flow or another flow with these permanent environments?
And if we will be able to add DAST report with this scenario we must make obligatory merging feature branches to development branch and deployment to development environment. But unfortunately we couldn’t find any solutions for this too. Any opinions about this would be very appreciated too.
And feel free to advice any alternative if you think there is any mistake or development space in the flow.