diff options
| author | Marcia Ramos <virtua.creative@gmail.com> | 2018-01-22 11:49:56 +0000 |
|---|---|---|
| committer | Marcia Ramos <virtua.creative@gmail.com> | 2018-01-22 11:49:56 +0000 |
| commit | 6d9da7382d96b1d6f8c23e4d81fadd51e1453821 (patch) | |
| tree | 2cc88d2c64101f8c5dd6b6725fb6f821dda3a847 | |
| parent | fa037e7c5f7df9bdda16763ce14539d631d3ed73 (diff) | |
| parent | d73e97bff0f13662b3d2f243019f9d77c2021214 (diff) | |
| download | gitlab-ce-6d9da7382d96b1d6f8c23e4d81fadd51e1453821.tar.gz | |
Merge branch 'docs/dast-cleanup' into 'master'
Add more info on how DAST works
See merge request gitlab-org/gitlab-ce!16615
| -rw-r--r-- | doc/ci/examples/dast.md | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/doc/ci/examples/dast.md b/doc/ci/examples/dast.md index 16ff8d5bb3e..7bf647bbb8b 100644 --- a/doc/ci/examples/dast.md +++ b/doc/ci/examples/dast.md @@ -1,11 +1,12 @@ # Dynamic Application Security Testing with GitLab CI/CD -This example shows how to run [Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis) -on your project's source code by using GitLab CI/CD. +is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy) +to perform an analysis on your running web application. -DAST is using the popular open source tool -[OWASP ZAProxy](https://github.com/zaproxy/zaproxy) to perform an analysis. +It can be very useful combined with [Review Apps](../review_apps/index.md). + +## Example All you need is a GitLab Runner with the Docker executor (the shared Runners on GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, @@ -14,22 +15,26 @@ called `dast`: ```yaml dast: image: owasp/zap2docker-stable + variables: + website: "https://example.com" script: - mkdir /zap/wrk/ - - /zap/zap-baseline.py -J gl-dast-report.json -t https://example.com || true + - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true - cp /zap/wrk/gl-dast-report.json . artifacts: paths: [gl-dast-report.json] ``` -The above example will create a `dast` job in your CI pipeline and will allow -you to download and analyze the report artifact in JSON format. +The above example will create a `dast` job in your CI/CD pipeline which will run +the tests on the URL defined in the `website` variable (change it to use your +own) and finally write the results in the `gl-dast-report.json` file. You can +then download and analyze the report artifact in JSON format. TIP: **Tip:** Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will be automatically extracted and shown right in the merge request widget. To do so, the CI job must be named `dast` and the artifact path must be `gl-dast-report.json`. -[Learn more on dynamic application security testing results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). +[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). [ee]: https://about.gitlab.com/gitlab-ee/ |