Commit 6d9da738 authored by Marcia Ramos's avatar Marcia Ramos

Merge branch 'docs/dast-cleanup' into 'master'

Add more info on how DAST works

See merge request gitlab-org/gitlab-ce!16615
parents fa037e7c d73e97bf
# Dynamic Application Security Testing with GitLab CI/CD # Dynamic Application Security Testing with GitLab CI/CD
This example shows how to run
[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis) [Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)
on your project's source code by using GitLab CI/CD. is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
to perform an analysis on your running web application.
DAST is using the popular open source tool It can be very useful combined with [Review Apps](../review_apps/index.md).
[OWASP ZAProxy](https://github.com/zaproxy/zaproxy) to perform an analysis.
## Example
All you need is a GitLab Runner with the Docker executor (the shared Runners on All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
...@@ -14,22 +15,26 @@ called `dast`: ...@@ -14,22 +15,26 @@ called `dast`:
```yaml ```yaml
dast: dast:
image: owasp/zap2docker-stable image: owasp/zap2docker-stable
variables:
website: "https://example.com"
script: script:
- mkdir /zap/wrk/ - mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t https://example.com || true - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
- cp /zap/wrk/gl-dast-report.json . - cp /zap/wrk/gl-dast-report.json .
artifacts: artifacts:
paths: [gl-dast-report.json] paths: [gl-dast-report.json]
``` ```
The above example will create a `dast` job in your CI pipeline and will allow The above example will create a `dast` job in your CI/CD pipeline which will run
you to download and analyze the report artifact in JSON format. the tests on the URL defined in the `website` variable (change it to use your
own) and finally write the results in the `gl-dast-report.json` file. You can
then download and analyze the report artifact in JSON format.
TIP: **Tip:** TIP: **Tip:**
Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named `dast` and the artifact path must be so, the CI job must be named `dast` and the artifact path must be
`gl-dast-report.json`. `gl-dast-report.json`.
[Learn more on dynamic application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). [Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).
[ee]: https://about.gitlab.com/gitlab-ee/ [ee]: https://about.gitlab.com/gitlab-ee/
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment