Enabling the analyzer
To run a DAST scan:
- Read the requirements conditions for running a DAST scan.
- Create a DAST job in your CI/CD pipeline.
- Authenticate as a user if your application requires it.
The DAST job runs in a Docker container defined by the image
keyword in the DAST CI/CD template file.
When you run the job, DAST connects to the target application specified by the DAST_TARGET_URL
variable
and crawls the site using an embedded browser.
Create a DAST CI/CD job
To add DAST scanning to your application, use the DAST job defined in the GitLab DAST CI/CD template file. Updates to the template are provided with GitLab upgrades, allowing you to benefit from any improvements and additions.
To create the CI/CD job:
-
Include the appropriate CI/CD template:
-
DAST.gitlab-ci.yml
: Stable version of the DAST CI/CD template. -
DAST.latest.gitlab-ci.yml
: Latest version of the DAST template.
WARNING: The latest version of the template may include breaking changes. Use the stable template unless you need a feature provided only in the latest template.
For more information about template versioning, see the CI/CD documentation.
-
-
Add a
dast
stage to your GitLab CI/CD stages configuration. -
Define the URL to be scanned by DAST by using one of these methods:
-
Set the
DAST_TARGET_URL
CI/CD variable. If set, this value takes precedence. -
Adding the URL in an
environment_url.txt
file at your project's root is great for testing in dynamic environments. To run DAST against an application dynamically created during a GitLab CI/CD pipeline, write the application URL to anenvironment_url.txt
file. DAST automatically reads the URL to find the scan target.You can see an example of this in our Auto DevOps CI YAML.
-
For example:
stages:
- dast
include:
- template: Security/DAST.gitlab-ci.yml
dast:
variables:
DAST_TARGET_URL: "https://example.com"
DAST_AUTH_USERNAME: "test_user"
DAST_AUTH_USERNAME_FIELD: "name:user[login]"
DAST_AUTH_PASSWORD_FIELD: "name:user[password]"