2018-01-12 09:25:50 -05:00
|
|
|
# Dynamic Application Security Testing with GitLab CI/CD
|
|
|
|
|
|
|
|
[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis)
|
2018-01-22 06:42:06 -05:00
|
|
|
is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
|
|
|
|
to perform an analysis on your running web application.
|
2018-01-12 09:25:50 -05:00
|
|
|
|
2018-01-22 06:42:06 -05:00
|
|
|
It can be very useful combined with [Review Apps](../review_apps/index.md).
|
|
|
|
|
|
|
|
## Example
|
2018-01-12 09:25:50 -05:00
|
|
|
|
|
|
|
All you need is a GitLab Runner with the Docker executor (the shared Runners on
|
|
|
|
GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`,
|
|
|
|
called `dast`:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
dast:
|
2018-04-03 15:19:00 -04:00
|
|
|
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
|
2018-01-22 06:42:06 -05:00
|
|
|
variables:
|
|
|
|
website: "https://example.com"
|
2018-04-03 15:19:00 -04:00
|
|
|
allow_failure: true
|
2018-01-12 09:25:50 -05:00
|
|
|
script:
|
|
|
|
- mkdir /zap/wrk/
|
2018-01-22 06:42:06 -05:00
|
|
|
- /zap/zap-baseline.py -J gl-dast-report.json -t $website || true
|
2018-01-12 09:25:50 -05:00
|
|
|
- cp /zap/wrk/gl-dast-report.json .
|
|
|
|
artifacts:
|
|
|
|
paths: [gl-dast-report.json]
|
|
|
|
```
|
|
|
|
|
2018-01-22 06:42:06 -05:00
|
|
|
The above example will create a `dast` job in your CI/CD pipeline which will run
|
|
|
|
the tests on the URL defined in the `website` variable (change it to use your
|
|
|
|
own) and finally write the results in the `gl-dast-report.json` file. You can
|
|
|
|
then download and analyze the report artifact in JSON format.
|
2018-01-12 09:25:50 -05:00
|
|
|
|
2018-04-03 15:19:00 -04:00
|
|
|
It's also possible to authenticate the user before performing DAST checks:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
dast:
|
|
|
|
image: registry.gitlab.com/gitlab-org/security-products/zaproxy
|
|
|
|
variables:
|
|
|
|
website: "https://example.com"
|
|
|
|
login_url: "https://example.com/sign-in"
|
|
|
|
allow_failure: true
|
|
|
|
script:
|
|
|
|
- mkdir /zap/wrk/
|
2018-04-18 08:49:57 -04:00
|
|
|
- /zap/zap-baseline.py -J gl-dast-report.json -t $website
|
|
|
|
--auth-url $login_url
|
|
|
|
--auth-username "john.doe@example.com"
|
2018-04-03 15:19:00 -04:00
|
|
|
--auth-password "john-doe-password" || true
|
|
|
|
- cp /zap/wrk/gl-dast-report.json .
|
|
|
|
artifacts:
|
|
|
|
paths: [gl-dast-report.json]
|
|
|
|
```
|
|
|
|
See [zaproxy documentation](https://gitlab.com/gitlab-org/security-products/zaproxy)
|
|
|
|
to learn more about authentication settings.
|
|
|
|
|
2018-01-12 09:25:50 -05:00
|
|
|
TIP: **Tip:**
|
2018-02-01 16:14:52 -05:00
|
|
|
Starting with [GitLab Ultimate][ee] 10.4, this information will
|
2018-01-12 09:25:50 -05:00
|
|
|
be automatically extracted and shown right in the merge request widget. To do
|
|
|
|
so, the CI job must be named `dast` and the artifact path must be
|
|
|
|
`gl-dast-report.json`.
|
2018-01-22 06:42:06 -05:00
|
|
|
[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html).
|
2018-01-12 09:25:50 -05:00
|
|
|
|
2018-02-07 05:48:29 -05:00
|
|
|
[ee]: https://about.gitlab.com/products/
|