Provide possibility to define custom scan identiier in SecHub configuration file

[de-jcup]

Situation

Currently when a web scan is running, SecHub sends an header X-SECHUB-DAST with the job uuid inside.

It is also possible to define a custom header with an explicit value.

Why is this interesting? Because this is a good way to identify if the web site is really under attack or it is a web scan by SecHub...

Problem

When it comes to triage (is this from SecHub or a real attack) it is currently not easy to automate this. An attacker could generate some random uuids and it could look like a valid SecHub scan.

Wanted

As a SecHub project I want to be able to define my own (internal known) identifier for X-SECHUB-DAST which can be used for automated triage

Solution

Inside the SecHub configuration file the users are able to define their own sechub-identifier

{
   "apiVersion" : "1.0",
   "identifier" : "this-is-my-internal-identifier",
   // ...
}

If the identifier is defined inside the configuration file, at a web scan the header X-SECHUB-DAST will be set with the custom scan identifier. If it is not set, X-SECHUB-DAST will contain as a fallback the SecHub jobuuid (as before)

[de-jcup]

Will be closed in favor of

• Describe way to identifiy SecHub DAST scans  #3649