debian-mirror-gitlab/doc/ci/examples/dast.md

# Dynamic Application Security Testing with GitLab CI/CD

[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)
is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
to perform an analysis on your running web application.

It can be very useful combined with [Review Apps](../review_apps/index.md).

## Example

All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
called `dast`:

```yaml
dast:
  image: registry.gitlab.com/gitlab-org/security-products/zaproxy
  variables:
    website: "https://example.com"
  allow_failure: true
  script:
    - mkdir /zap/wrk/
    - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
    - cp /zap/wrk/gl-dast-report.json .
  artifacts:
    paths: [gl-dast-report.json]
```

The above example will create a `dast` job in your CI/CD pipeline which will run
the tests on the URL defined in the `website` variable (change it to use your
own) and finally write the results in the `gl-dast-report.json` file. You can
then download and analyze the report artifact in JSON format.

It's also possible to authenticate the user before performing DAST checks:

```yaml
dast:
  image: registry.gitlab.com/gitlab-org/security-products/zaproxy
  variables:
    website: "https://example.com"
    login_url: "https://example.com/sign-in"
  allow_failure: true
  script:
    - mkdir /zap/wrk/
    - /zap/zap-baseline.py -J gl-dast-report.json -t $website
        --auth-url $login_url
        --auth-username "john.doe@example.com"
        --auth-password "john-doe-password" || true
    - cp /zap/wrk/gl-dast-report.json .
  artifacts:
    paths: [gl-dast-report.json]
```
See [zaproxy documentation](https://gitlab.com/gitlab-org/security-products/zaproxy)
to learn more about authentication settings.

TIP: **Tip:**
Starting with [GitLab Ultimate][ee] 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named `dast` and the artifact path must be
`gl-dast-report.json`.
[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).

[ee]: https://about.gitlab.com/products/
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`# Dynamic Application Security Testing with GitLab CI/CD`

			`[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)`
			`is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)`
			`to perform an analysis on your running web application.`

			`It can be very useful combined with [Review Apps](../review_apps/index.md).`

			`## Example`

			`All you need is a GitLab Runner with the Docker executor (the shared Runners on`
			GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
			called `dast`:

			```yaml
			`dast:`
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`image: registry.gitlab.com/gitlab-org/security-products/zaproxy`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`variables:`
			`website: "https://example.com"`
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`allow_failure: true`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`script:`
			`- mkdir /zap/wrk/`
			`- /zap/zap-baseline.py -J gl-dast-report.json -t $website \|\| true`
			`- cp /zap/wrk/gl-dast-report.json .`
			`artifacts:`
			`paths: [gl-dast-report.json]`
			```

			The above example will create a `dast` job in your CI/CD pipeline which will run
			the tests on the URL defined in the `website` variable (change it to use your
			own) and finally write the results in the `gl-dast-report.json` file. You can
			`then download and analyze the report artifact in JSON format.`

New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`It's also possible to authenticate the user before performing DAST checks:`

			```yaml
			`dast:`
			`image: registry.gitlab.com/gitlab-org/security-products/zaproxy`
			`variables:`
			`website: "https://example.com"`
			`login_url: "https://example.com/sign-in"`
			`allow_failure: true`
			`script:`
			`- mkdir /zap/wrk/`
			`- /zap/zap-baseline.py -J gl-dast-report.json -t $website`
			`--auth-url $login_url`
			`--auth-username "john.doe@example.com"`
			`--auth-password "john-doe-password" \|\| true`
			`- cp /zap/wrk/gl-dast-report.json .`
			`artifacts:`
			`paths: [gl-dast-report.json]`
			```
			`See [zaproxy documentation](https://gitlab.com/gitlab-org/security-products/zaproxy)`
			`to learn more about authentication settings.`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`TIP: Tip:`
			`Starting with [GitLab Ultimate][ee] 10.4, this information will`
			`be automatically extracted and shown right in the merge request widget. To do`
			so, the CI job must be named `dast` and the artifact path must be
			`gl-dast-report.json`.
			`[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).`

			`[ee]: https://about.gitlab.com/products/`