1 files changed, 51 insertions, 43 deletions
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index ee57803dfc7..1389db65713 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -627,7 +627,7 @@ These CI/CD variables are specific to DAST. They can be used to customize the be
 | `DAST_AGGREGATE_VULNERABILITIES`                 | boolean       | Vulnerability aggregation is set to `true` by default. To disable this feature and see each vulnerability individually set to `false`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/254043) in GitLab 14.0. |
 | `DAST_API_HOST_OVERRIDE` <sup>1</sup>            | string        | Used to override domains defined in API specification files. Only supported when importing the API specification from a URL. Example: `example.com:8080`. |
 | `DAST_API_OPENAPI`                               | URL or string | The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. |
-| `DAST_API_SPECIFICATION` <sup>1</sup>            | URL or string | [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/290241) in GitLab 13.12 and replaced by `DAST_API_OPENAPI`. To be removed in GitLab 15.0. The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. |
+| `DAST_API_SPECIFICATION` <sup>1</sup>            | URL or string | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/290241)** in GitLab 15.0. Replaced by `DAST_API_OPENAPI`. The API specification to import. The specification can be hosted at a URL, or the name of a file present in the `/zap/wrk` directory. The variable `DAST_WEBSITE` must be specified if this is omitted. |
 | `DAST_AUTH_REPORT` <sup>2</sup>                  | boolean       | Used in combination with exporting the `gl-dast-debug-auth-report.html` artifact to aid in debugging authentication issues. |
 | `DAST_AUTH_EXCLUDE_URLS` <sup>2</sup>            | URLs          | **{warning}** **[Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/289959)** in GitLab 14.0. Replaced by `DAST_EXCLUDE_URLS`. The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, `.*` matches an arbitrary character sequence. Not supported for API scans. |
 | `DAST_AUTH_URL` <sup>1,2</sup>                   | URL           | The URL of the page containing the sign-in HTML form on the target website. `DAST_USERNAME` and `DAST_PASSWORD` are submitted with the login form to create an authenticated scan. Not supported for API scans. Example: `https://login.example.com`. |
@@ -1156,6 +1156,7 @@ A site profile contains the following:
   - **Password**: The password used to authenticate to the website.
   - **Username form field**: The name of username field at the sign-in HTML form.
   - **Password form field**: The name of password field at the sign-in HTML form.
+  - **Submit form field**: The `id` or `name` of the element that when clicked submits the sign-in HTML form.
 
 When an API site type is selected, a [host override](#host-override) is used to ensure the API being scanned is on the same host as the target. This is done to reduce the risk of running an active scan against the wrong API.
 
@@ -1199,7 +1200,14 @@ The site profile is created.
 
 #### Edit a site profile
 
-To edit an existing site profile:
+If a site profile is linked to a security policy, a user cannot edit the profile from this page. See
+[Scan execution policies](../policies/scan-execution-policies.md)
+for more information.
+
+When a validated site profile's file, header, or meta tag is edited, the site's
+[validation status](#site-profile-validation) is revoked.
+
+To edit a site profile:
 
 1. From your project's home page, go to **Security & Compliance > Configuration**.
 1. In the **DAST Profiles** row select **Manage**.
@@ -1207,42 +1215,37 @@ To edit an existing site profile:
 1. In the profile's row select the **More actions** (**{ellipsis_v}**) menu, then select **Edit**.
 1. Edit the fields then select **Save profile**.
 
-If a site profile is linked to a security policy, a user cannot edit the profile from this page. See
-[Scan execution policies](../policies/scan-execution-policies.md)
-for more information.
-
 #### Delete a site profile
 
-To delete an existing site profile:
+If a site profile is linked to a security policy, a user cannot delete the profile from this page.
+See [Scan execution policies](../policies/scan-execution-policies.md)
+for more information.
+
+To delete a site profile:
 
 1. From your project's home page, go to **Security & Compliance > Configuration**.
 1. In the **DAST Profiles** row select **Manage**.
 1. Select the **Site Profiles** tab.
-1. In the profile's row select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**.
+1. In the profile's row, select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**.
 1. Select **Delete** to confirm the deletion.
 
-If a site profile is linked to a security policy, a user cannot delete the profile from this page.
-See [Scan execution policies](../policies/scan-execution-policies.md)
-for more information.
-
 #### Validate a site profile
 
-Prerequisites:
-
-- A site profile.
+Validating a site is required to run an active scan.
 
 To validate a site profile:
 
 1. On the top bar, select **Menu > Projects** and find your project.
 1. On the left sidebar, select **Security & Compliance > Configuration**.
-1. In the **Dynamic Application Security Testing (DAST)** section, select **Manage scans**.
+1. In the **Dynamic Application Security Testing (DAST)** section, select **Manage profiles**.
 1. Select the **Site Profiles** tab.
-1. In the profile's row select **Validate** or **Retry validation**.
+1. In the profile's row, select **Validate**.
 1. Select the validation method.
    1. For **Text file validation**:
       1. Download the validation file listed in **Step 2**.
-      1. Upload the validation file to the host. Upload the file to the location in
-         **Step 3** or any location you prefer.
+      1. Upload the validation file to the host, to the location in **Step 3** or any location you
+         prefer.
+      1. If required, edit the file location in **Step 3**.
       1. Select **Validate**.
    1. For **Header validation**:
       1. Select the clipboard icon in **Step 2**.
@@ -1255,9 +1258,8 @@ To validate a site profile:
       1. Select the input field in **Step 3** and enter the location of the meta tag.
       1. Select **Validate**.
 
-The site is validated and an active scan can run against it.
-
-If a validated site profile's target URL is edited, the site's validation status is revoked.
+The site is validated and an active scan can run against it. A site profile's validation status is
+revoked only when it's revoked manually, or its file, header, or meta tag is edited.
 
 #### Retry a failed validation
 
@@ -1265,22 +1267,28 @@ If a validated site profile's target URL is edited, the site's validation status
 > - [Deployed behind the `dast_failed_site_validations` flag](../../../administration/feature_flags.md), enabled by default.
 > - [Feature flag `dast_failed_site_validations` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/323961) in GitLab 14.4.
 
-If a site profile's validation fails, you can retry it by selecting the **Retry validation** button
-in the profiles list.
+Failed site validation attempts are listed on the **Site profiles** tab of the **Manage profiles**
+page.
+
+To retry a site profile's failed validation:
 
-When loading the DAST profiles library, past failed validations are listed above the profiles
-list. You can also retry the validation from there by selecting the **Retry validation** link in
-the alert. You can also dismiss the alert to revoke failed validations.
+1. On the top bar, select **Menu > Projects** and find your project.
+1. On the left sidebar, select **Security & Compliance > Configuration**.
+1. In the **Dynamic Application Security Testing (DAST)** section, select **Manage profiles**.
+1. Select the **Site Profiles** tab.
+1. In the profile's row, select **Retry validation**.
 
 #### Revoke a site profile's validation status
 
-Note that all site profiles with the same URL have their validation status revoked.
+WARNING:
+When a site profile's validation status is revoked, all site profiles that share the same URL also
+have their validation status revoked.
 
 To revoke a site profile's validation status:
 
 1. From your project's home page, go to **Security & Compliance > Configuration**.
 1. In the **DAST Profiles** row select **Manage**.
-1. Select **Revoke validation** beside the validated profile.
+1. Beside the validated profile, select **Revoke validation**.
 
 The site profile's validation status is revoked.
 
@@ -1348,40 +1356,40 @@ A scanner profile defines the scanner settings used to run an on-demand scan:
 To create a scanner profile:
 
 1. From your project's home page, go to **Security & Compliance > Configuration**.
-1. In the **DAST Profiles** row select **Manage**.
+1. In the **DAST Profiles** row, select **Manage**.
 1. Select **New > Scanner Profile**.
 1. Complete the form. For details of each field, see [Scanner profile](#scanner-profile).
-1. Click **Save profile**.
+1. Select **Save profile**.
 
 #### Edit a scanner profile
 
+If a scanner profile is linked to a security policy, a user cannot edit the profile from this page.
+See [Scan execution policies](../policies/scan-execution-policies.md)
+for more information.
+
 To edit a scanner profile:
 
 1. From your project's home page, go to **Security & Compliance > Configuration**.
-1. Click **Manage** in the **DAST Profiles** row.
+1. In the **DAST Profiles** row, select **Manage**.
 1. Select the **Scanner Profiles** tab.
-1. In the scanner's row select the **More actions** (**{ellipsis_v}**) menu, then select **Edit**.
+1. In the scanner's row, select the **More actions** (**{ellipsis_v}**) menu, then select **Edit**.
 1. Edit the form.
 1. Select **Save profile**.
 
-If a scanner profile is linked to a security policy, a user cannot edit the profile from this page.
-See [Scan execution policies](../policies/scan-execution-policies.md)
-for more information.
-
 #### Delete a scanner profile
 
+If a scanner profile is linked to a security policy, a user cannot delete the profile from this
+page. See [Scan execution policies](../policies/scan-execution-policies.md)
+for more information.
+
 To delete a scanner profile:
 
 1. From your project's home page, go to **Security & Compliance > Configuration**.
-1. Click **Manage** in the **DAST Profiles** row.
+1. In the **DAST Profiles** row, select **Manage**.
 1. Select the **Scanner Profiles** tab.
-1. In the scanner's row select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**.
+1. In the scanner's row, select the **More actions** (**{ellipsis_v}**) menu, then select **Delete**.
 1. Select **Delete**.
 
-If a scanner profile is linked to a security policy, a user cannot delete the profile from this
-page. See [Scan execution policies](../policies/scan-execution-policies.md)
-for more information.
-
 ## Auditing
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217872) in GitLab 14.1.