We have a DAST job for our API that used to take about 20 to 30 minutes to successfully complete. Since DAST upgraded to 5.21.0, the job can take 90 minutes or more.
I followed some of the suggestions here: https://about.gitlab.com/blog/2020/08/31/how-to-configure-dast-full-scans-for-complex-web-applications
I split up the dast_api
job into two jobs to run in parallel, one job excluding half of the irrelevant rules and the other job excluding the other half of the irrelevant rules, but both jobs ran and completed at the same speed (approximately 90 minutes).
Then I kept dast_api
as one job with these test runs:
– with DAST_ONLY_INCLUDE_RULES: "90018"
– Expected the job to complete quickly because I set only 1 rule, but the job still took around 90 minutes to complete.
– current implementation below: one job and using DAST_EXCLUDE_RULES
(I got this list from here: https://gitlab.com/gitlab-org/gitlab/-/blob/8b1557c02fe5519ba952ea59c93b84912dd357b4/.gitlab/ci/dast.gitlab-ci.yml) – Expect job to complete quickly because I excluded numerous rules, but it still taking more than 90 minutes to complete.
dast_api:
services:
- name: registry.gitlab.com/company/docker:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHORT_SHA}
alias: company
variables:
DAST_API_GRAPHQL: /graphql
DAST_API_TARGET_URL: http://localhost:9000/
DAST_API_OVERRIDES_FILE: dast-api-overrides.json
DAST_EXCLUDE_RULES: "41,42,43,10027,10032,10041,10042,10045,10047,10052,10053,10057,10061,10096,10097,10104,10106,20012,20014,20015,20016,20017,20018,40019,40020,40021,40024,40025,40027,40029,40032,90001,90019,10109,10026,10028,10029,10030,10031,10033,10034,10035,10036,10038,10039,10043,10044,10048,10050,10051,10058,10062,10095,10107,10108,30003,40013,40022,40023,40028,90021,90023,90024,90025,90027,90028,10003,50003,0,2,3,6,7,10010,10011,10015,10017,10019,10020,10021,10023,10024,10025,10037,10040,10054,10055,10056,10098,10105,10202,20019,30001,30002,40003,40008,40009,40012,40014,40016,40017,40018,50000,50001,90011,90020,90022,90033"
KUBERNETES_CPU_REQUEST: "4"
KUBERNETES_CPU_LIMIT: "4"
KUBERNETES_MEMORY_REQUEST: "2Gi"
KUBERNETES_MEMORY_LIMIT: "2Gi"
KUBERNETES_SERVICE_CPU_REQUEST: "500m"
KUBERNETES_SERVICE_CPU_LIMIT: "500m"
KUBERNETES_SERVICE_MEMORY_REQUEST: "1Gi"
KUBERNETES_SERVICE_MEMORY_LIMIT: "1Gi"
JAVA_OPTS_APPEND: "-Djava.net.preferIPv4Stack=false -Djava.net.preferIPv6Addresses=true"
rules:
- if: $CI_COMMIT_BRANCH == "add-dast"
timeout: 3h
Right now, it looks like DAST_EXCLUDE_RULES
and DAST_ONLY_INCLUDE_RULES
are having no discernible effect.
Again, the job is completing, but taking more than 90 minutes. We are aiming to get the job to complete in 20 to 30 minutes.
– Is anyone else experiencing the same issue?
– Am I missing anything in the dast_api
job?
– Would the next option be to increase the CPU limit?
You need to sign in to view this answers