If you are using GitLab CI/CD, you can analyze your running web application(s) for known vulnerabilities using Dynamic Application Security Testing (DAST).
Running static checks on your code is the first step to detect vulnerabilities that can put the security of your code at risk. Yet, once deployed, your application is exposed to a new category of possible attacks, such as cross-site scripting or broken authentication flaws. This is where Dynamic Application Security Testing (DAST) comes into place.
Going a step further, GitLab can show the vulnerability list right in the merge request widget area.
It helps you automatically find security vulnerabilities in your running web applications while you are developing and testing your applications.
First of all, you need to define a job named
dast in your
file. Check how the
dast job should look like.
In order for the report to show in the merge request, there are two prerequisites:
- the specified job must be named
- the resulting report must be named
gl-dast-report.jsonand uploaded as an artifact. This JSON file needs to be the only artifact file for the job. If you try to also include other files, it will break the vulnerability display in the merge request.
sast job will perform an analysis on the running web application, the
resulting JSON file will be uploaded as an artifact, and GitLab will then check
this file and show the information inside the merge request.
By clicking on one of the detected linked vulnerabilities, you will be able to see the details and the URL(s) affected.