Dynamic Application Security Testing with GitLab CI/CD
It can be very useful combined with Review Apps.
All you need is a GitLab Runner with the Docker executor (the shared Runners on
GitLab.com will work fine). You can then add a new job to
dast: image: owasp/zap2docker-stable variables: website: "https://example.com" script: - mkdir /zap/wrk/ - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true - cp /zap/wrk/gl-dast-report.json . artifacts: paths: [gl-dast-report.json]
The above example will create a
dast job in your CI/CD pipeline which will run
the tests on the URL defined in the
website variable (change it to use your
own) and finally write the results in the
gl-dast-report.json file. You can
then download and analyze the report artifact in JSON format.
Starting with GitLab Enterprise Edition Ultimate 10.4, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named
dast and the artifact path must be
Learn more about DAST results shown in merge requests.