# To contribute improvements to CI/CD templates, please follow the Development guide at:
# https://docs.gitlab.com/ee/development/cicd/templates.html
# This specific template is located at:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST.latest.gitlab-ci.yml

# To use this template, add the following to your .gitlab-ci.yml file:
#
# include:
#   template: DAST.latest.gitlab-ci.yml
#
# You also need to add a `dast` stage to your `stages:` configuration. A sample configuration for DAST:
#
# stages:
#   - build
#   - test
#   - deploy
#   - dast

# Read more about this feature here: https://docs.gitlab.com/ee/user/application_security/dast/

# Configure DAST with CI/CD variables (https://docs.gitlab.com/ee/ci/variables/index.html).
# List of available variables: https://docs.gitlab.com/ee/user/application_security/dast/#available-variables

variables:
  DAST_VERSION: 4
  # Setting this variable will affect all Security templates
  # (SAST, Dependency Scanning, ...)
  SECURE_ANALYZERS_PREFIX: "$CI_TEMPLATE_REGISTRY_HOST/security-products"
  DAST_IMAGE_SUFFIX: ""

dast:
  stage: dast
  image:
    name: "$SECURE_ANALYZERS_PREFIX/dast:$DAST_VERSION$DAST_IMAGE_SUFFIX"
  variables:
    GIT_STRATEGY: none
  allow_failure: true
  script:
    - export DAST_WEBSITE=${DAST_WEBSITE:-$(cat environment_url.txt)}
    - if [ -z "$DAST_WEBSITE$DAST_API_SPECIFICATION" ]; then echo "Either DAST_WEBSITE or DAST_API_SPECIFICATION must be set. See https://docs.gitlab.com/ee/user/application_security/dast/#configuration for more details." && exit 1; fi
    - /analyze
  artifacts:
    paths:
      - dast_artifacts/*
    reports:
      dast: gl-dast-report.json
  rules:
    - if: $DAST_DISABLED == 'true' || $DAST_DISABLED == '1'
      when: never
    - if: $DAST_DISABLED_FOR_DEFAULT_BRANCH == 'true' &&
          $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
      when: never
    - if: $DAST_DISABLED_FOR_DEFAULT_BRANCH == '1' &&
          $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
      when: never
    - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
          $REVIEW_DISABLED == 'true'
      when: never
    - if: $CI_DEFAULT_BRANCH != $CI_COMMIT_REF_NAME &&
          $REVIEW_DISABLED == '1'
      when: never

    # Add the job to merge request pipelines if there's an open merge request. (FIPS)
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
          $CI_GITLAB_FIPS_MODE == "true" &&
          $GITLAB_FEATURES =~ /\bdast\b/
      variables:
        DAST_IMAGE_SUFFIX: "-fips"
    # Add the job to merge request pipelines if there's an open merge request.
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" &&
          $GITLAB_FEATURES =~ /\bdast\b/

    # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
    - if: $CI_OPEN_MERGE_REQUESTS
      when: never

    # Add the job to branch pipelines. (FIPS)
    - if: $CI_COMMIT_BRANCH &&
          $CI_GITLAB_FIPS_MODE == "true" &&
          $GITLAB_FEATURES =~ /\bdast\b/
      variables:
        DAST_IMAGE_SUFFIX: "-fips"
    # Add the job to branch pipelines.
    - if: $CI_COMMIT_BRANCH &&
          $GITLAB_FEATURES =~ /\bdast\b/
  after_script:
    # Remove any debug.log files because they might contain secrets.
    - rm -f /zap/wrk/**/debug.log
    - cp -r /zap/wrk dast_artifacts