Available CI/CD variables and configuration files

History

Available CI/CD variables

CI/CD variableDescription
SECURE_ANALYZERS_PREFIXSpecify the Docker registry base address from which to download the analyzer.
APISEC_DISABLEDSet to ’true’ or ‘1’ to disable API security testing scanning.
APISEC_DISABLED_FOR_DEFAULT_BRANCHSet to ’true’ or ‘1’ to disable API security testing scanning for only the default (production) branch.
APISEC_VERSIONSpecify API security testing container version. Defaults to 3.
APISEC_IMAGE_SUFFIXSpecify a container image suffix. Defaults to none.
APISEC_API_PORTSpecify the communication port number used by API security testing engine. Defaults to 5500. Introduced in GitLab 15.5.
APISEC_TARGET_URLBase URL of API testing target.
APISEC_TARGET_CHECK_SKIPDisable waiting for target to become available. Introduced in GitLab 17.1.
APISEC_TARGET_CHECK_STATUS_CODEProvide the expected status code for target availability check. If not provided, any non-500 status code is acceptable. Introduced in GitLab 17.1.
APISEC_CONFIGAPI security testing configuration file. Defaults to .gitlab-dast-api.yml.
APISEC_PROFILEConfiguration profile to use during testing. Defaults to Quick.
APISEC_EXCLUDE_PATHSExclude API URL paths from testing.
APISEC_EXCLUDE_URLSExclude API URL from testing.
APISEC_EXCLUDE_PARAMETER_ENVJSON string containing excluded parameters.
APISEC_EXCLUDE_PARAMETER_FILEPath to a JSON file containing excluded parameters.
APISEC_REQUEST_HEADERSA comma-separated (,) list of headers to include on each scan request. Consider using APISEC_REQUEST_HEADERS_BASE64 when storing secret header values in a masked variable, which has character set restrictions.
APISEC_REQUEST_HEADERS_BASE64A comma-separated (,) list of headers to include on each scan request, Base64-encoded. Introduced in GitLab 15.6.
APISEC_OPENAPIOpenAPI specification file or URL.
APISEC_OPENAPI_RELAXED_VALIDATIONRelax document validation. Default is disabled.
APISEC_OPENAPI_ALL_MEDIA_TYPESUse all supported media types instead of one when generating requests. Causes test duration to be longer. Default is disabled.
APISEC_OPENAPI_MEDIA_TYPESColon (:) separated media types accepted for testing. Default is disabled.
APISEC_HARHTTP Archive (HAR) file.
APISEC_GRAPHQLPath to GraphQL endpoint, for example /api/graphql. Introduced in GitLab 15.4.
APISEC_GRAPHQL_SCHEMAA URL or filename for a GraphQL schema in JSON format. Introduced in GitLab 15.4.
APISEC_POSTMAN_COLLECTIONPostman Collection file.
APISEC_POSTMAN_COLLECTION_VARIABLESPath to a JSON file to extract Postman variable values. The support for comma-separated (,) files was introduced in GitLab 15.1.
APISEC_OVERRIDES_FILEPath to a JSON file containing overrides.
APISEC_OVERRIDES_ENVJSON string containing headers to override.
APISEC_OVERRIDES_CMDOverrides command.
APISEC_OVERRIDES_CMD_VERBOSEWhen set to any value. It logs overrides command output to the gl-api-security-scanner.log job artifact file.
APISEC_PER_REQUEST_SCRIPTFull path and filename for a per-request script. See demo project for examples. Introduced in GitLab 17.2.
APISEC_PRE_SCRIPTRun user command or script before scan session starts. sudo must be used for privileged operations like installing packages.
APISEC_POST_SCRIPTRun user command or script after scan session has finished. sudo must be used for privileged operations like installing packages.
APISEC_OVERRIDES_INTERVALHow often to run overrides command in seconds. Defaults to 0 (once).
APISEC_HTTP_USERNAMEUsername for HTTP authentication.
APISEC_HTTP_PASSWORDPassword for HTTP authentication. Consider using APISEC_HTTP_PASSWORD_BASE64 instead.
APISEC_HTTP_PASSWORD_BASE64Password for HTTP authentication, base64-encoded. Introduced in GitLab 15.4.
APISEC_SERVICE_START_TIMEOUTHow long to wait for target API to become available in seconds. Default is 300 seconds.
APISEC_TIMEOUTHow long to wait for API responses in seconds. Default is 30 seconds.
APISEC_SUCCESS_STATUS_CODESSpecify a comma-separated (,) list of HTTP success status codes that determine whether an API security testing scanning job has passed. Introduced in GitLab 17.1. Example: '200, 201, 204'

Configuration files

To get you started quickly, GitLab provides the configuration file gitlab-dast-api-config.yml. This file has several testing profiles that perform various numbers of tests. The run time of each profile increases as the test numbers go up. To use a configuration file, add it to your repository’s root as .gitlab/gitlab-dast-api-config.yml.

Profiles

The following profiles are pre-defined in the default configuration file. Profiles can be added, removed, and modified by creating a custom configuration.

Passive

  • Application Information Check
  • Cleartext Authentication Check
  • JSON Hijacking Check
  • Sensitive Information Check
  • Session Cookie Check

Quick

  • Application Information Check
  • Cleartext Authentication Check
  • FrameworkDebugModeCheck
  • HTML Injection Check
  • Insecure Http Methods Check
  • JSON Hijacking Check
  • JSON Injection Check
  • Sensitive Information Check
  • Session Cookie Check
  • SQL Injection Check
  • Token Check
  • XML Injection Check

Full

  • Application Information Check
  • Cleartext AuthenticationCheck
  • CORS Check
  • DNS Rebinding Check
  • Framework Debug Mode Check
  • HTML Injection Check
  • Insecure Http Methods Check
  • JSON Hijacking Check
  • JSON Injection Check
  • Open Redirect Check
  • Sensitive File Check
  • Sensitive Information Check
  • Session Cookie Check
  • SQL Injection Check
  • TLS Configuration Check
  • Token Check
  • XML Injection Check