[REVIEW] dast-config: add GraphQL mutation safety gates

[shensz2017]

Skill Review ($25 potential bounty)

dast-config currently supports GraphQL scanning, but the GraphQL section only requires introspection, query depth limits, and careful handling of mutations. It does not require concrete evidence that state-changing GraphQL mutations are safe to execute during active DAST.

Gap: a scan can have maxQueryDepth, maxArgsCount, and a GraphQL endpoint configured, while destructive mutations such as delete, refund, rotate, disable, transfer, or reset are still executed against shared staging data, production-like integrations, or stale schemas.

Suggested improvement: require GraphQL schema freshness evidence, mutation inventory, per-mutation scan decision, destructive mutation exclusions, dry-run/test-mode flags, disposable seed data, reset/rollback evidence, sandbox payment/email/webhook integrations, and compensating manual/API validation for excluded mutations.

Preferred payment: GitHub Sponsors, if accepted.

[rock2089]

I'd like to work on this bounty.

[JamesJi79]

/attempt #2072

JamesJi79 will submit VALID GAP analysis for this [REVIEW] issue.

[JamesJi79]

/attempt #2072

VALID GAP — DAST GraphQL Mutation Safety Gates

Why Valid (FP confirmed)

The dast-config skill supports GraphQL scanning and requires introspection, query depth limits, and careful mutation handling. These are necessary but not sufficient for safe DAST execution against GraphQL endpoints. A scanner with maxQueryDepth, maxArgsCount, and a configured GraphQL endpoint can still execute destructive mutations (delete, refund, rotate, disable, transfer, reset) against shared staging data, production-like integrations, or stale schemas where the mutations no longer have their expected effect.

Coverage Gaps

Gap 1 — Schema freshness and mutation inventory — GraphQL schemas evolve: mutations are added, deprecated, or renamed between deployments. A scanner configured against a stale schema may execute mutations that have destructive side effects on active business data. The skill should require schema freshness evidence and a complete mutation inventory before scan execution. Need gate: GraphQL schema freshness timestamp and mutation inventory per endpoint.

Gap 2 — Per-mutation scan decision and destructive mutation exclusions — Not all mutations should be executed during DAST. Mutations like refundTransaction, rotateApiKey, disableUser, transferFunds require per-mutation scan decisions with explicit destructive/non-destructive classification. The skill needs a mutation exclusion list and dry-run/test-mode flag verification. Need gate: Per-mutation scan decision matrix with destructive mutation exclusion and dry-run flag evidence.

Gap 3 — Disposable seed data and reset/rollback evidence — Even safe mutations can corrupt shared staging data across parallel scans. The skill should require disposable seed data, reset/rollback procedures, sandbox payment/email/webhook integrations, and compensating manual/API validation for excluded mutations. Need gate: Disposable seed data, reset mechanism, and sandbox integration evidence.

Suggested Gates

1. DAST-GQL-01: Schema freshness timestamp and complete mutation inventory per GraphQL endpoint.
2. DAST-GQL-02: Per-mutation scan decision matrix with destructive mutation exclusions and dry-run/test-mode flag verification.
3. DAST-GQL-03: Disposable seed data, reset/rollback procedure, and sandbox payment/email/webhook integration evidence.