summaryrefslogtreecommitdiff
path: root/doc/user/application_security/dast/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/application_security/dast/index.md')
-rw-r--r--doc/user/application_security/dast/index.md11
1 files changed, 8 insertions, 3 deletions
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index a3cf1288128..2202d7567cd 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -145,7 +145,14 @@ the site during a scan could lead to inaccurate results.
### Authentication
-It's also possible to authenticate the user before performing the DAST checks:
+It's also possible to authenticate the user before performing the DAST checks.
+
+Create masked variables to pass the credentials that DAST will use.
+To create masked variables for the username and password, see [Create a custom variable in the UI](../../../ci/variables/README.md#create-a-custom-variable-in-the-ui).
+Note that the key of the username variable must be `DAST_USERNAME`
+and the key of the password variable must be `DAST_PASSWORD`.
+
+Other variables that are related to authenticated scans are:
```yaml
include:
@@ -154,8 +161,6 @@ include:
variables:
DAST_WEBSITE: https://example.com
DAST_AUTH_URL: https://example.com/sign-in
- DAST_USERNAME: john.doe@example.com
- DAST_PASSWORD: john-doe-password
DAST_USERNAME_FIELD: session[user] # the name of username field at the sign-in HTML form
DAST_PASSWORD_FIELD: session[password] # the name of password field at the sign-in HTML form
DAST_AUTH_EXCLUDE_URLS: http://example.com/sign-out,http://example.com/sign-out-2 # optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
View Lorry Controller Status