diff options
| author | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-01-25 09:47:36 +0000 |
|---|---|---|
| committer | Tiago Botelho <tiagonbotelho@hotmail.com> | 2018-01-25 10:00:17 +0000 |
| commit | 4903ff93971d28723ed9d81f7dae2ad2a1d5586a (patch) | |
| tree | 8f6f5cbc302f0820c1ffd0c85528388fd33bb8d7 /doc/ci/examples/dast.md | |
| parent | 3805cd7ac5e1c9b286bfba667ef45972eab4d084 (diff) | |
| parent | 944c1eb684fe979339262ba6e9f7bf9e1b77fc81 (diff) | |
| download | gitlab-ce-13931-custom-emoji-implementation.tar.gz | |
Merge branch 'master' into 13931-custom-emoji-implementation13931-custom-emoji-implementation
Conflicts:
app/assets/javascripts/dispatcher.js
app/assets/javascripts/pages/projects/shared/project_avatar.js
Diffstat (limited to 'doc/ci/examples/dast.md')
| -rw-r--r-- | doc/ci/examples/dast.md | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/doc/ci/examples/dast.md b/doc/ci/examples/dast.md new file mode 100644 index 00000000000..7bf647bbb8b --- /dev/null +++ b/doc/ci/examples/dast.md @@ -0,0 +1,40 @@ +# Dynamic Application Security Testing with GitLab CI/CD + +[Dynamic Application Security Testing (DAST)](https://en.wikipedia.org/wiki/Dynamic_program_analysis) +is using the popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy) +to perform an analysis on your running web application. + +It can be very useful combined with [Review Apps](../review_apps/index.md). + +## Example + +All you need is a GitLab Runner with the Docker executor (the shared Runners on +GitLab.com will work fine). You can then add a new job to `.gitlab-ci.yml`, +called `dast`: + +```yaml +dast: + image: owasp/zap2docker-stable + variables: + website: "https://example.com" + script: + - mkdir /zap/wrk/ + - /zap/zap-baseline.py -J gl-dast-report.json -t $website || true + - cp /zap/wrk/gl-dast-report.json . + artifacts: + paths: [gl-dast-report.json] +``` + +The above example will create a `dast` job in your CI/CD pipeline which will run +the tests on the URL defined in the `website` variable (change it to use your +own) and finally write the results in the `gl-dast-report.json` file. You can +then download and analyze the report artifact in JSON format. + +TIP: **Tip:** +Starting with [GitLab Enterprise Edition Ultimate][ee] 10.4, this information will +be automatically extracted and shown right in the merge request widget. To do +so, the CI job must be named `dast` and the artifact path must be +`gl-dast-report.json`. +[Learn more about DAST results shown in merge requests](https://docs.gitlab.com/ee/user/project/merge_requests/dast.html). + +[ee]: https://about.gitlab.com/gitlab-ee/ |