Add more info on how DAST works

d73e97bf · Achilleas Pipinellis · 5fb13c81 · d73e97bf
Commit d73e97bf authored Jan 22, 2018 by Achilleas Pipinellis
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 8 deletions

doc/ci/examples/dast.md doc/ci/examples/dast.md +13 -8

No files found.
--- a/doc/ci/examples/dast.md
+++ b/doc/ci/examples/dast.md
 # Dynamic Application Security Testing with GitLab CI/CD

-This example shows how to run
 [Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)
-on your project's source code by using GitLab CI/CD.
+is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
+to perform an analysis on your running web application.

-DAST is using the popular open source tool
-[OWASP ZAProxy](https://github.com/zaproxy/zaproxy) to perform an analysis.
+It can be very useful combined with [Review Apps](../review_apps/index.md).
+
+## Example

 All you need is a GitLab Runner with the Docker executor (the shared Runners on
 GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
@@ -14,22 +15,26 @@ called `dast`:
 ```yaml
 dast:
  image: owasp/zap2docker-stable
+  variables:
+    website: "https://example.com"
  script:
    - mkdir /zap/wrk/
-    - /zap/zap-baseline.py -J gl-dast-report.json -t https://example.com || true
+    - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
    - cp /zap/wrk/gl-dast-report.json .
  artifacts:
    paths: [gl-dast-report.json]
 ```

-The above example will create a `dast` job in your CI pipeline and will allow
-you to download and analyze the report artifact in JSON format.
+The above example will create a `dast` job in your CI/CD pipeline which will run
+the tests on the URL defined in the `website` variable (change it to use your
+own) and finally write the results in the `gl-dast-report.json` file. You can
+then download and analyze the report artifact in JSON format.

 TIP: **Tip:**
 Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will
 be automatically extracted and shown right in the merge request widget. To do
 so, the CI job must be named `dast` and the artifact path must be
 `gl-dast-report.json`.
-[Learn more on dynamic application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).
+[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).

 [ee]: https://about.gitlab.com/gitlab-ee/