Improve DAST GraphQL mutation safety gates

[shensz2017]

Bounty type

Skill Improvement ($50-150 potential bounty)

Requested bounty tier: Moderate ($100)

Related review issue: #2072

Summary

This improves dast-config by adding explicit GraphQL DAST safety gates for state-changing mutations, schema freshness, and safe scan execution.

The current skill asks reviewers to handle mutations carefully, but it does not require enough evidence to distinguish safe mutation testing from destructive active scanning against shared staging data or production-like integrations.

Changes

• Bump dast-config skill version to 1.0.1.
• Add GraphQL scan input discovery patterns for schema and GraphQL config artifacts.
• Require offline schema/introspection JSON when live introspection is unavailable.
• Add mutation safety evidence fields for schema source/freshness, mutation inventory, per-mutation scan decision, data safety controls, argument strategy, auth/session binding, and cleanup evidence.
• Add high-risk mutation patterns for destructive state-changing operations included in active scans without sandboxing or seeded resettable data.
• Extend severity guidance and output format with a GraphQL Scan Safety table.
• Add vulnerable and benign fixtures for unsafe vs. controlled GraphQL mutation scanning.

Tests

Added scenario fixtures:

• tests/vulnerable/dast-config-graphql-mutations-without-safety.yaml
• tests/benign/dast-config-graphql-mutations-safely-controlled.yaml

Local validation performed:

• git diff --check
• verified required YAML keys in both new fixtures
• marker checks for GraphQL mutation safety, high-risk mutation patterns, report table, and changelog

Payment preference

GitHub Sponsors, if accepted.