3.7 KiB
Dynamic Application Security Testing with GitLab CI/CD
CAUTION: Caution: The job definition shown below is supported on GitLab 11.5 and later versions. It also requires the GitLab Runner 11.5 or later. For earlier versions, use the previous job definitions.
Dynamic Application Security Testing (DAST) is using the popular open source tool OWASP ZAProxy to perform an analysis on your running web application. Since it is based on ZAP Baseline DAST will perform passive scanning only; it will not actively attack your application.
It can be very useful combined with Review Apps.
Example
First, you need GitLab Runner with docker-in-docker executor.
Once you set up the Runner, add a new job to .gitlab-ci.yml
that
generates the expected report:
dast:
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
variables:
website: "https://example.com"
allow_failure: true
script:
- mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
- cp /zap/wrk/gl-dast-report.json .
artifacts:
reports:
dast: gl-dast-report.json
The above example will create a dast
job in your CI/CD pipeline which will run
the tests on the URL defined in the website
variable (change it to use your
own) and scan it for possible vulnerabilities. The report will be saved as a
DAST report artifact
that you can later download and analyze.
Due to implementation limitations we always take the latest DAST artifact available.
It's also possible to authenticate the user before performing DAST checks:
dast:
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
variables:
website: "https://example.com"
login_url: "https://example.com/sign-in"
username: "john.doe@example.com"
password: "john-doe-password"
allow_failure: true
script:
- mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t $website
--auth-url $login_url
--auth-username $username
--auth-password $password || true
- cp /zap/wrk/gl-dast-report.json .
artifacts:
reports:
dast: gl-dast-report.json
See zaproxy documentation to learn more about authentication settings.
TIP: Tip: For GitLab Ultimate users, this information will be automatically extracted and shown right in the merge request widget. Learn more on DAST in merge requests.
Previous job definitions
CAUTION: Caution:
Before GitLab 11.5, DAST job and artifact had to be named specifically
to automatically extract report data and show it in the merge request widget.
While these old job definitions are still maintained they have been deprecated
and may be removed in next major release, GitLab 12.0.
You are advised to update your current .gitlab-ci.yml
configuration to reflect that change.
For GitLab 11.4 and earlier, the job should look like:
dast:
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
variables:
website: "https://example.com"
allow_failure: true
script:
- mkdir /zap/wrk/
- /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
- cp /zap/wrk/gl-dast-report.json .
artifacts:
paths: [gl-dast-report.json]