2018-03-17 18:26:18 +05:30
|
|
|
# Dynamic Application Security Testing with GitLab CI/CD
|
|
|
|
|
2018-12-13 13:39:08 +05:30
|
|
|
CAUTION: **Caution:**
|
|
|
|
The job definition shown below is supported on GitLab 11.5 and later versions.
|
|
|
|
It also requires the GitLab Runner 11.5 or later.
|
|
|
|
For earlier versions, use the [previous job definitions](#previous-job-definitions).
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)
|
|
|
|
is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
|
|
|
|
to perform an analysis on your running web application.
|
2018-12-13 13:39:08 +05:30
|
|
|
Since it is based on [ZAP Baseline](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan)
|
|
|
|
DAST will perform passive scanning only;
|
|
|
|
it will not actively attack your application.
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
It can be very useful combined with [Review Apps](../review_apps/index.md).
|
|
|
|
|
|
|
|
## Example
|
|
|
|
|
2018-12-13 13:39:08 +05:30
|
|
|
First, you need GitLab Runner with
|
|
|
|
[docker-in-docker executor](../docker/using_docker_build.md#use-docker-in-docker-executor).
|
|
|
|
|
|
|
|
Once you set up the Runner, add a new job to `.gitlab-ci.yml` that
|
|
|
|
generates the expected report:
|
2018-03-17 18:26:18 +05:30
|
|
|
|
|
|
|
```yaml
|
|
|
|
dast:
|
2018-05-09 12:01:36 +05:30
|
|
|
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
|
2018-03-17 18:26:18 +05:30
|
|
|
variables:
|
|
|
|
website: "https://example.com"
|
2018-05-09 12:01:36 +05:30
|
|
|
allow_failure: true
|
2018-03-17 18:26:18 +05:30
|
|
|
script:
|
|
|
|
- mkdir /zap/wrk/
|
|
|
|
- /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
|
|
|
|
- cp /zap/wrk/gl-dast-report.json .
|
|
|
|
artifacts:
|
2018-12-13 13:39:08 +05:30
|
|
|
reports:
|
|
|
|
dast: gl-dast-report.json
|
2018-03-17 18:26:18 +05:30
|
|
|
```
|
|
|
|
|
|
|
|
The above example will create a `dast` job in your CI/CD pipeline which will run
|
|
|
|
the tests on the URL defined in the `website` variable (change it to use your
|
2018-12-13 13:39:08 +05:30
|
|
|
own) and scan it for possible vulnerabilities. The report will be saved as a
|
2019-03-02 22:35:43 +05:30
|
|
|
[DAST report artifact](../yaml/README.md#artifactsreportsdast-ultimate)
|
2018-12-13 13:39:08 +05:30
|
|
|
that you can later download and analyze.
|
|
|
|
Due to implementation limitations we always take the latest DAST artifact available.
|
2018-03-17 18:26:18 +05:30
|
|
|
|
2018-05-09 12:01:36 +05:30
|
|
|
It's also possible to authenticate the user before performing DAST checks:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
dast:
|
|
|
|
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
|
|
|
|
variables:
|
|
|
|
website: "https://example.com"
|
|
|
|
login_url: "https://example.com/sign-in"
|
2018-12-13 13:39:08 +05:30
|
|
|
username: "john.doe@example.com"
|
|
|
|
password: "john-doe-password"
|
2018-05-09 12:01:36 +05:30
|
|
|
allow_failure: true
|
|
|
|
script:
|
|
|
|
- mkdir /zap/wrk/
|
|
|
|
- /zap/zap-baseline.py -J gl-dast-report.json -t $website
|
|
|
|
--auth-url $login_url
|
2018-12-13 13:39:08 +05:30
|
|
|
--auth-username $username
|
|
|
|
--auth-password $password || true
|
2018-05-09 12:01:36 +05:30
|
|
|
- cp /zap/wrk/gl-dast-report.json .
|
|
|
|
artifacts:
|
2018-12-13 13:39:08 +05:30
|
|
|
reports:
|
|
|
|
dast: gl-dast-report.json
|
2018-05-09 12:01:36 +05:30
|
|
|
```
|
|
|
|
See [zaproxy documentation](https://gitlab.com/gitlab-org/security-products/zaproxy)
|
|
|
|
to learn more about authentication settings.
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
TIP: **Tip:**
|
2018-12-13 13:39:08 +05:30
|
|
|
For [GitLab Ultimate][ee] users, this information will
|
|
|
|
be automatically extracted and shown right in the merge request widget.
|
|
|
|
[Learn more on DAST in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).
|
|
|
|
|
|
|
|
## Previous job definitions
|
|
|
|
|
|
|
|
CAUTION: **Caution:**
|
|
|
|
Before GitLab 11.5, DAST job and artifact had to be named specifically
|
|
|
|
to automatically extract report data and show it in the merge request widget.
|
|
|
|
While these old job definitions are still maintained they have been deprecated
|
|
|
|
and may be removed in next major release, GitLab 12.0.
|
|
|
|
You are advised to update your current `.gitlab-ci.yml` configuration to reflect that change.
|
|
|
|
|
|
|
|
For GitLab 11.4 and earlier, the job should look like:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
dast:
|
|
|
|
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
|
|
|
|
variables:
|
|
|
|
website: "https://example.com"
|
|
|
|
allow_failure: true
|
|
|
|
script:
|
|
|
|
- mkdir /zap/wrk/
|
|
|
|
- /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
|
|
|
|
- cp /zap/wrk/gl-dast-report.json .
|
|
|
|
artifacts:
|
|
|
|
paths: [gl-dast-report.json]
|
|
|
|
```
|
2018-03-17 18:26:18 +05:30
|
|
|
|
2018-11-08 19:23:39 +05:30
|
|
|
[ee]: https://about.gitlab.com/pricing/
|