DEV Community

Cover image for Automate Dynamic Application Security Testing (DAST) with CI/CD
Smooth Code
Smooth Code

Posted on

Automate Dynamic Application Security Testing (DAST) with CI/CD

#devops #gitlab #security #cicd

Dynamic Application Security Testing (DAST) is a security testing technique that focuses on identifying vulnerabilities in running web applications. It simulates real-world attacks by sending requests to the application and analyzing the responses. DAST tools, like OWASP ZAP (Zed Attack Proxy), help organizations uncover vulnerabilities such as cross-site scripting (XSS), SQL injection, and security misconfigurations.

Dast can perform well automated with Gitlab CI/CD
In my example I will launch dast attack on facturation website called testphp.vulnweb .

Gitlab-CiCd

Gitlab CICD

Add the following script to .gitlab-ci.yml :

stages:
    - security

run-dast-job:
  stage: security
  image: maven:3.8.5-openjdk-17-slim    
  script:
    - apt-get update
    - apt-get -y install wget unzip wkhtmltopdf
    - wget https://github.com/zaproxy/zaproxy/releases/download/v2.16.1/ZAP_2.16.1_Linux.tar.gz
    - mkdir zap
    - tar -xvf ZAP_2.16.1_Linux.tar.gz -C zap
    - cd zap/ZAP_2.16.1
    - ./zap.sh -cmd -quickurl http://testphp.vulnweb.com/ -quickout ../zap_report.html
    - cd ..
    - wkhtmltopdf zap_report.html zap_report.pdf
  artifacts:
    when: always
    paths:
      - zap/zap_report.pdf
    expire_in: 1 week
  allow_failure: true
Enter fullscreen mode Exit fullscreen mode

Github Actions

Github Actions

name: DAST (ZAP) scan

on:
  push:
    branches: [ main ]
  workflow_dispatch:

jobs:
  dast:
    name: Run DAST (ZAP)
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Setup Java 17 (for ZAP)
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: '17'

      - name: Install dependencies
        run: |
          sudo apt-get update
          sudo apt-get -y install wget unzip wkhtmltopdf

      - name: Download and extract ZAP
        run: |
          wget https://github.com/zaproxy/zaproxy/releases/download/v2.16.1/ZAP_2.16.1_Linux.tar.gz
          mkdir -p zap
          tar -xvf ZAP_2.16.1_Linux.tar.gz -C zap

      - name: Run ZAP quick scan + convert to PDF
        id: run-zap
        continue-on-error: true                     # allow failure (similar to allow_failure: true)
        run: |
          set -e || true
          cd zap/ZAP_2.16.1
          chmod +x zap.sh
          # run the quick scan (replace URL with your target)
          ./zap.sh -cmd -quickurl http://testphp.vulnweb.com/ -quickout ../zap_report.html || true
          cd ..
          # convert html to pdf (may require additional libs on some runners)
          wkhtmltopdf zap_report.html zap_report.pdf || true

      - name: Upload ZAP PDF artifact
        if: always()                                # ensure artifact is uploaded even if previous step failed
        uses: actions/upload-artifact@v4
        with:
          name: zap-report
          path: zap/zap_report.pdf
          retention-days: 7                         # equivalent to expire_in: 1 week
Enter fullscreen mode Exit fullscreen mode

The pipeline should be successfull and you will manage to download the artifcat file containing the dast pdf rapport after clicking on the successful stage.

dast owasp zap rapport

DAST provides an effective way to identify vulnerabilities in running applications by simulating real attack scenarios. By integrating OWASP ZAP with CI/CD pipelines—whether using GitLab or GitHub Actions—security testing becomes automated and continuous. This ensures that every new change is checked for potential security risks early in the development cycle. The result is a more secure application and faster vulnerability detection, with scan reports easily accessible as pipeline artifacts.

Top comments (0)