Commit 63d34af0 authored by Dennis Appelt's avatar Dennis Appelt Committed by Russell Dickenson

Add instructions for masking credentials

parent 334e93b1
......@@ -145,7 +145,14 @@ the site during a scan could lead to inaccurate results.
### Authentication
It's also possible to authenticate the user before performing the DAST checks:
It's also possible to authenticate the user before performing the DAST checks.
Create masked variables to pass the credentials that DAST will use.
To create masked variables for the username and password, see [Create a custom variable in the UI](../../../ci/variables/README.md#create-a-custom-variable-in-the-ui).
Note that the key of the username variable must be `DAST_USERNAME`
and the key of the password variable must be `DAST_PASSWORD`.
Other variables that are related to authenticated scans are:
```yaml
include:
......@@ -154,8 +161,6 @@ include:
variables:
DAST_WEBSITE: https://example.com
DAST_AUTH_URL: https://example.com/sign-in
DAST_USERNAME: john.doe@example.com
DAST_PASSWORD: john-doe-password
DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment