Skip to content

G
gitlab-ce
Commit d73e97bf authored by Achilleas Pipinellis's avatar Achilleas Pipinellis
Browse files
Options

Add more info on how DAST works

parent 5fb13c81
Hide whitespace changes
Inline Side-by-side
Showing with 13 additions and 8 deletions
doc/ci/examples/dast.md
View file @ d73e97bf
# Dynamic Application Security Testing with GitLab CI/CD # Dynamic Application Security Testing with GitLab CI/CD
This example shows how to run
[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis) [Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)
on your project's source code by using GitLab CI/CD. is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
to perform an analysis on your running web application.
DAST is using the popular open source tool It can be very useful combined with [Review Apps](../review_apps/index.md).
[OWASP ZAProxy](https://github.com/zaproxy/zaproxy) to perform an analysis.
## Example
All you need is a GitLab Runner with the Docker executor (the shared Runners on All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
...@@ -14,22 +15,26 @@ called `dast`: ...@@ -14,22 +15,26 @@ called `dast`:
```yaml ```yaml
dast: dast:
image: owasp/zap2docker-stable image: owasp/zap2docker-stable
variables:
website: "https://example.com"
script: script:
- mkdir /zap/wrk/ - mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t https://example.com || true - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
- cp /zap/wrk/gl-dast-report.json . - cp /zap/wrk/gl-dast-report.json .
artifacts: artifacts:
paths: [gl-dast-report.json] paths: [gl-dast-report.json]
``` ```
The above example will create a `dast` job in your CI pipeline and will allow The above example will create a `dast` job in your CI/CD pipeline which will run
you to download and analyze the report artifact in JSON format. the tests on the URL defined in the `website` variable (change it to use your
own) and finally write the results in the `gl-dast-report.json` file. You can
then download and analyze the report artifact in JSON format.
TIP: **Tip:** TIP: **Tip:**
Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named `dast` and the artifact path must be so, the CI job must be named `dast` and the artifact path must be
`gl-dast-report.json`. `gl-dast-report.json`.
[Learn more on dynamic application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). [Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).
[ee]: https://about.gitlab.com/gitlab-ee/ [ee]: https://about.gitlab.com/gitlab-ee/
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7