Dynamic Application Security Testing (DAST) Troubleshooting

The following troubleshooting scenarios have been collected from customer support cases. If you experience a problem not addressed here, or the information here does not fix your problem, create a support ticket. For more details, see the GitLab Support page.

Running out of memory

By default, ZAProxy, which DAST relies on, is allocated memory that sums to 25% of the total memory on the host. Since it keeps most of its information in memory during a scan, it’s possible for DAST to run out of memory while scanning large applications. This results in the following error:

[zap.out] java.lang.OutOfMemoryError: Java heap space

Fortunately, it’s straightforward to increase the amount of memory available for DAST by using the DAST_ZAP_CLI_OPTIONS CI/CD variable:

  - template: DAST.gitlab-ci.yml


This example allocates 3072 MB to DAST. Change the number after -Xmx to the required memory amount.

DAST job exceeding the job timeout

If your DAST job exceeds the job timeout and you need to reduce the scan duration, we shared some tips for optimizing DAST scans in a blog post.

Getting warning message gl-dast-report.json: no matching files

For information on this, see the general Application Security troubleshooting section.

Getting error dast job: chosen stage does not exist when including DAST CI template

To avoid overwriting stages from other CI files, newer versions of the DAST CI template do not define stages. If you recently started using DAST.latest.gitlab-ci.yml or upgraded to a new major release of GitLab and began receiving this error, you must define a dast stage with your other stages. Note that you must have a running application for DAST to scan. If your application is set up in your pipeline, it must be deployed in a stage before the dast stage:

  - deploy  # DAST needs a running application to scan
  - dast

  - template: DAST.latest.gitlab-ci.yml