diff options
author | Luke Bennett <lukeeeebennettplus@gmail.com> | 2018-04-05 18:45:35 +0100 |
---|---|---|
committer | Luke Bennett <lukeeeebennettplus@gmail.com> | 2018-04-05 18:45:35 +0100 |
commit | 8131a02fef9241f396c827cb7613ddd307f0a551 (patch) | |
tree | eca9cac2c0ba6e228b42bab90d8fd0cf0a9b191e /doc/ci/examples/dast.md | |
parent | ee1954efc19470c477ddbdf965731dc25598e6b0 (diff) | |
parent | f103475766fecc6e6fdf996e9cfaaa41e795962f (diff) | |
download | gitlab-ce-8131a02fef9241f396c827cb7613ddd307f0a551.tar.gz |
Merge remote-tracking branch 'origin/master' into deprecation-warning-for-dynamic-milestones
Diffstat (limited to 'doc/ci/examples/dast.md')
-rw-r--r-- | doc/ci/examples/dast.md | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/doc/ci/examples/dast.md b/doc/ci/examples/dast.md index 96de0f5ff5c..8df223ee560 100644 --- a/doc/ci/examples/dast.md +++ b/doc/ci/examples/dast.md @@ -14,9 +14,10 @@ called `dast`: ```yaml dast: - image: owasp/zap2docker-stable + image: registry.gitlab.com/gitlab-org/security-products/zaproxy variables: website: "https://example.com" + allow_failure: true script: - mkdir /zap/wrk/ - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true @@ -30,6 +31,28 @@ the tests on the URL defined in the `website` variable (change it to use your own) and finally write the results in the `gl-dast-report.json` file. You can then download and analyze the report artifact in JSON format. +It's also possible to authenticate the user before performing DAST checks: + +```yaml +dast: + image: registry.gitlab.com/gitlab-org/security-products/zaproxy + variables: + website: "https://example.com" + login_url: "https://example.com/sign-in" + allow_failure: true + script: + - mkdir /zap/wrk/ + - /zap/zap-baseline.py -J gl-dast-report.json -t $website \ + --auth-url $login_url \ + --auth-username "john.doe@example.com" \ + --auth-password "john-doe-password" || true + - cp /zap/wrk/gl-dast-report.json . + artifacts: + paths: [gl-dast-report.json] +``` +See [zaproxy documentation](https://gitlab.com/gitlab-org/security-products/zaproxy) +to learn more about authentication settings. + TIP: **Tip:** Starting with [GitLab Ultimate][ee] 10.4, this information will be automatically extracted and shown right in the merge request widget. To do |