Skip to content

Commit d73e97b

Browse files
axilleasaxilleas
committed
Add more info on how DAST works
1 parent 5fb13c8 commit d73e97b

File tree

1 file changed

+13
-8
lines changed

1 file changed

+13
-8
lines changed

doc/ci/examples/dast.md

+13-8
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
# Dynamic Application Security Testing with GitLab CI/CD
22

3-
This example shows how to run
43
[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)
5-
on your project's source code by using GitLab CI/CD.
4+
is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
5+
to perform an analysis on your running web application.
66

7-
DAST is using the popular open source tool
8-
[OWASP ZAProxy](https://github.com/zaproxy/zaproxy) to perform an analysis.
7+
It can be very useful combined with [Review Apps](../review_apps/index.md).
8+
9+
## Example
910

1011
All you need is a GitLab Runner with the Docker executor (the shared Runners on
1112
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
@@ -14,22 +15,26 @@ called `dast`:
1415
```yaml
1516
dast:
1617
image: owasp/zap2docker-stable
18+
variables:
19+
website: "https://example.com"
1720
script:
1821
- mkdir /zap/wrk/
19-
- /zap/zap-baseline.py -J gl-dast-report.json -t https://example.com || true
22+
- /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
2023
- cp /zap/wrk/gl-dast-report.json .
2124
artifacts:
2225
paths: [gl-dast-report.json]
2326
```
2427
25-
The above example will create a `dast` job in your CI pipeline and will allow
26-
you to download and analyze the report artifact in JSON format.
28+
The above example will create a `dast` job in your CI/CD pipeline which will run
29+
the tests on the URL defined in the `website` variable (change it to use your
30+
own) and finally write the results in the `gl-dast-report.json` file. You can
31+
then download and analyze the report artifact in JSON format.
2732

2833
TIP: **Tip:**
2934
Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will
3035
be automatically extracted and shown right in the merge request widget. To do
3136
so, the CI job must be named `dast` and the artifact path must be
3237
`gl-dast-report.json`.
33-
[Learn more on dynamic application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).
38+
[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).
3439

3540
[ee]: https://about.gitlab.com/gitlab-ee/

0 commit comments

Comments
 (0)