Enabling the analyzer
To run a DAST scan:
- Read the requirements conditions for running a DAST scan.
- Create a DAST job in your CI/CD pipeline.
- Authenticate as a user if your application requires it.
The DAST job runs in a Docker container defined by the image
keyword in the DAST CI/CD template file. When you run the job, DAST connects to the target application specified by the DAST_TARGET_URL
variable and crawls the site using an embedded browser.
Create a DAST CI/CD job
To add DAST scanning to your application, use the DAST job defined in the GitLab DAST CI/CD template file. Updates to the template are provided with GitLab upgrades, allowing you to benefit from any improvements and additions.
To create the CI/CD job:
Include the appropriate CI/CD template:
DAST.gitlab-ci.yml
: Stable version of the DAST CI/CD template.DAST.latest.gitlab-ci.yml
: Latest version of the DAST template.
The latest version of the template may include breaking changes. Use the stable template unless you need a feature provided only in the latest template.
Add a
dast
stage to your GitLab CI/CD stages configuration.Define the URL to be scanned by DAST by using one of these methods:
Set the
DAST_TARGET_URL
CI/CD variable. If set, this value takes precedence.Adding the URL in an
environment_url.txt
file at your project’s root is great for testing in dynamic environments. To run DAST against an application dynamically created during a GitLab CI/CD pipeline, write the application URL to anenvironment_url.txt
file. DAST automatically reads the URL to find the scan target.You can see an example of this in our Auto DevOps CI YAML.
For example:
stages: - dast include: - template: Security/DAST.gitlab-ci.yml dast: variables: DAST_TARGET_URL: "https://example.com" DAST_AUTH_USERNAME: "test_user" DAST_AUTH_USERNAME_FIELD: "name:user[login]" DAST_AUTH_PASSWORD_FIELD: "name:user[password]"