This GitLab instance reached the end of its service life. It won't be possible to create new users or projects.

Please read the deprecation notice for more information concerning the deprecation timeline

Visit (internal network only) to import your old projects to the new GitLab platform 📥

Dynamic Application Security Testing with GitLab CI/CD

Dynamic Application Security Testing (DAST) is using the popular open source tool OWASP ZAProxy to perform an analysis on your running web application.

It can be very useful combined with Review Apps.


All you need is a GitLab Runner with the Docker executor (the shared Runners on will work fine). You can then add a new job to .gitlab-ci.yml, called dast:

  image: owasp/zap2docker-stable
    website: ""
    - mkdir /zap/wrk/
    - /zap/ -J gl-dast-report.json -t $website || true
    - cp /zap/wrk/gl-dast-report.json .
    paths: [gl-dast-report.json]

The above example will create a dast job in your CI/CD pipeline which will run the tests on the URL defined in the website variable (change it to use your own) and finally write the results in the gl-dast-report.json file. You can then download and analyze the report artifact in JSON format.

TIP: Tip: Starting with GitLab Enterprise Edition Ultimate 10.4, this information will be automatically extracted and shown right in the merge request widget. To do so, the CI job must be named dast and the artifact path must be gl-dast-report.json. Learn more about DAST results shown in merge requests.