Commit 8c177986 authored by Victor Zagorodny's avatar Victor Zagorodny 🔴 Committed by Achilleas Pipinellis

Add ZAP Full Scan support to DAST vendored template

parent bf01f931
......@@ -32,9 +32,11 @@ see the details and the URL(s) affected.
[Dynamic Application Security Testing (DAST)](
is using the popular open source tool [OWASP ZAProxy](
to perform an analysis on your running web application.
Since it is based on [ZAP Baseline](,
DAST will perform passive scanning only; it will not actively attack your application.
By default, DAST executes [ZAP Baseline Scan]( and will perform passive scanning only. It will not actively attack your application.
However, DAST can be [configured](#full-scan)
to also perform a so-called "active scan". That is, attack your application and produce a more extensive security report.
It can be very useful combined with [Review Apps](../../../ci/review_apps/
## Use cases
......@@ -98,6 +100,8 @@ There are two ways to define the URL to be scanned by DAST:
- Set the `DAST_WEBSITE` [variable](../../../ci/yaml/
- Add it in an `environment_url.txt` file at the root of your project.
#### Authenticated scan
It's also possible to authenticate the user before performing the DAST checks:
......@@ -111,6 +115,7 @@ variables:
DAST_PASSWORD: john-doe-password
DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
DAST_AUTH_EXCLUDE_URLS:, # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
The report will be saved as a
......@@ -118,6 +123,19 @@ The report will be saved as a
that you can later download and analyze.
Due to implementation limitations, we always take the latest DAST artifact available.
#### Full scan
DAST can be configured to perform [ZAP Full Scan](, which
includes both passive and active scanning against the same target website:
template: DAST.gitlab-ci.yml
#### Customizing the DAST settings
The SAST settings can be changed through environment variables by using the
title: Added ZAP Full Scan support for DAST
merge_request: 11269
type: added
......@@ -30,6 +30,7 @@ dast:
- |
function dast_run() {
docker run \
--volume "$PWD:/output" \
--volume /var/run/docker.sock:/var/run/docker.sock \
......@@ -46,7 +47,8 @@ dast:
--auth-username $DAST_USERNAME \
--auth-password $DAST_PASSWORD \
--auth-username-field $DAST_USERNAME_FIELD \
--auth-password-field $DAST_PASSWORD_FIELD
--auth-password-field $DAST_PASSWORD_FIELD \
--auth-exclude-urls $DAST_AUTH_EXCLUDE_URLS
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment