I have a question: Does the CI/CD InsightAppSec Scan only touch pushed data, or does it get triggered by push action and scan the whole repository?
So when you trigger a scan with our GitLab CI/CD integration, you give it a parameter called SCAN_CONFIG_ID, which then triggers the scanning of the website. This ID correlates to a scan config in the AppSec platform, which defines how the scan will run.
Since AppSec is a DAST tool, the code change in question needs to be fully deployed before you can run the scan. It scans the website itself, not the code directly. The most common implementation will be to have Gitlab trigger a scan whenever an update to Dev/QA is deployed.
1 Like