Available CI/CD variables

These CI/CD variables are specific to the browser-based DAST analyzer. They can be used to customize the behavior of DAST to your requirements. For authentication CI/CD variables, see Authentication.

CI/CD variableTypeExampleDescription
DAST_ACTIVE_SCAN_TIMEOUTDuration string3hThe maximum amount of time to wait for the active scan phase of the scan to complete. Defaults to 3h.
DAST_ACTIVE_SCAN_WORKER_COUNTnumber3The number of active checks to run in parallel. Defaults to 3.
DAST_AUTH_AFTER_LOGIN_ACTIONSstringclick(on=id:remember-me),click(on=css:.continue)A comma-separated list of actions to be run after login but before login verification. Currently supports “click” actions.
DAST_AUTH_BEFORE_LOGIN_ACTIONSselectorcss:.user,id:show-login-formA comma-separated list of selectors representing elements to click on prior to entering the DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD into the login form.
DAST_AUTH_CLEAR_INPUT_FIELDSbooleantrueDisables clearing of username and password fields before attempting manual login. Set to false by default.
DAST_AUTH_COOKIE_NAMESstringsessionID,groupNameSet to a comma-separated list of cookie names to specify which cookies are used for authentication.
DAST_AUTH_FIRST_SUBMIT_FIELDselectorcss:input[type=submit]A selector describing the element that is clicked on to submit the username form of a multi-page login process.
DAST_AUTH_PASSWORD_FIELDselectorname:passwordA selector describing the element used to enter the password on the login form.
DAST_AUTH_NEGOTIATE_DELEGATIONstring*.example.com,example.com,*.EXAMPLE.COM,EXAMPLE.COMWhich servers should be allowed for integrated authentication and delegation. This property sets two Chromium policies: AuthServerAllowlist and AuthNegotiateDelegateAllowlist. Introduced in GitLab 17.6.
DAST_AUTH_PASSWORDstringP@55w0rd!The password to authenticate to in the website.
DAST_AUTH_REPORTbooleantrueSet to true to generate a report detailing steps taken during the authentication process. You must also define gl-dast-debug-auth-report.html as a CI job artifact to be able to access the generated report. The report’s content aids when debugging authentication failures. Defaults to false.
DAST_AUTH_SUBMIT_FIELDselectorcss:input[type=submit]A selector describing the element clicked on to submit the login form for a single-page login form, or the password form for a multi-page login form.
DAST_AUTH_SUCCESS_IF_AT_URLURLhttps://www.site.com/welcomeA URL that is compared to the URL in the browser to determine if authentication has succeeded after the login form is submitted.
DAST_AUTH_SUCCESS_IF_ELEMENT_FOUNDselectorcss:.user-avatarA selector describing an element whose presence is used to determine if authentication has succeeded after the login form is submitted.
DAST_AUTH_SUCCESS_IF_NO_LOGIN_FORMbooleantrueVerifies successful authentication by checking for the absence of a login form after the login form has been submitted. This success check is enabled by default.
DAST_AUTH_TYPEstringbasic-digestThe authentication type to use.
DAST_AUTH_URLURLhttps://site.com/loginThe URL of the page containing the login form on the target website. DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD are submitted with the login form to create an authenticated scan.
DAST_AUTH_USERNAME_FIELDselectorname:usernameA selector describing the element used to enter the username on the login form.
DAST_AUTH_USERNAMEstringuser@email.comThe username to authenticate to in the website.
DAST_BROWSER_SCANbooleantrueRequired to be true to run a browser-based scan.
DAST_CHECKS_TO_EXCLUDEstring552.2,78.1Comma-separated list of check identifiers to exclude from the scan. For identifiers, see vulnerability checks.
DAST_CHECKS_TO_RUNList of strings16.1,16.2,16.3Comma-separated list of check identifiers to use for the scan. For identifiers, see vulnerability checks.
DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUTDuration string5sThe maximum amount of time to allow the browser to extract newly found elements or navigations. Defaults to 5s.
DAST_CRAWL_GRAPHbooleantrueSet to true to generate an SVG graph of navigation paths visited during crawl phase of the scan. You must also define gl-dast-crawl-graph.svg as a CI job artifact to be able to access the generated graph. Defaults to false.
DAST_CRAWL_MAX_ACTIONSnumber10000The maximum number of actions that the crawler performs. Example actions include selecting a link, or filling a form. Defaults to 10000.
DAST_CRAWL_MAX_DEPTHnumber10The maximum number of chained actions that the crawler takes. For example, Click -> Form Fill -> Click is a depth of three. Defaults to 10.
DAST_CRAWL_SEARCH_ELEMENT_TIMEOUTDuration string3sThe maximum amount of time to allow the browser to search for new elements or user actions. Defaults to 3s.
DAST_CRAWL_TIMEOUTDuration string5mThe maximum amount of time to wait for the crawl phase of the scan to complete. Defaults to 24h.
DAST_CRAWL_WORKER_COUNTnumber3The maximum number of concurrent browser instances to use. For instance runners on GitLab.com, we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but are likely to produce little benefit after five to seven instances. The default value is dynamic, equal to the number of usable logical CPUs.
DAST_FULL_SCANbooleantrueSet to true to run both passive and active checks. Default: false
DAST_LOG_BROWSER_OUTPUTbooleantrueSet to true to log Chromium STDOUT and STDERR.
DAST_LOG_CONFIGList of stringsbrows:debug,auth:debugA list of modules and their intended logging level for use in the console log.
DAST_LOG_DEVTOOLS_CONFIGstringDefault:messageAndBody,truncate:2000Set to log protocol messages between DAST and the Chromium browser.
DAST_LOG_FILE_CONFIGList of stringsbrows:debug,auth:debugA list of modules and their intended logging level for use in the file log.
DAST_LOG_FILE_PATHstring/output/browserker.logSet to the path of the file log. Default is gl-dast-scan.log
DAST_PAGE_DOM_READY_TIMEOUTDuration string7sThe maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after a navigation completes. Defaults to 6s.
DAST_PAGE_DOM_STABLE_WAITDuration string200msDefine how long to wait for updates to the DOM before checking a page is stable. Defaults to 500ms.
DAST_PAGE_ELEMENT_READY_TIMEOUTDuration string600msThe maximum amount of time to wait for an element before determining it is ready for analysis. Defaults to 300ms.
DAST_PAGE_IS_LOADING_ELEMENTselectorcss:#page-is-loadingSelector that when is no longer visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_READY_ELEMENT.
DAST_PAGE_IS_READY_ELEMENTselectorcss:#page-is-readySelector that when detected as visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_LOADING_ELEMENT.
DAST_PAGE_MAX_RESPONSE_SIZE_MBnumber15The maximum size of a HTTP response body. Responses with bodies larger than this are blocked by the browser. Defaults to 10 MB.
DAST_PAGE_READY_AFTER_ACTION_TIMEOUTDuration string7sThe maximum amount of time to wait for a browser to consider a page loaded and ready for analysis. Defaults to 7s.
DAST_PAGE_READY_AFTER_NAVIGATION_TIMEOUTDuration string15sThe maximum amount of time to wait for a browser to navigate from one page to another. Defaults to 15s.
DAST_PASSIVE_SCAN_WORKER_COUNTint5Number of workers that passive scan in parallel. Defaults to the number of available CPUs.
DAST_PKCS12_CERTIFICATE_BASE64stringZGZkZ2p5NGd...The PKCS12 certificate used for sites that require Mutual TLS. Must be encoded as base64 text.
DAST_PKCS12_PASSWORDstringpasswordThe password of the certificate used in DAST_PKCS12_CERTIFICATE_BASE64. Create sensitive custom CI/CI variables using the GitLab UI.
DAST_REQUEST_ADVERTISE_SCANbooleantrueSet to true to add a Via: GitLab DAST <version> header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. Default: false.
DAST_REQUEST_COOKIESdictionaryabtesting_group:3,region:lockedA cookie name and value to be added to every request.
DAST_REQUEST_HEADERSstringCache-control:no-cacheSet to a comma-separated list of request header names and values. The following headers are not supported: content-length, cookie2, keep-alive, hosts, trailer, transfer-encoding, and all headers with a proxy- prefix.
DAST_SCOPE_ALLOW_HOSTSList of stringssite.com,another.comHostnames included in this variable are considered in scope when crawled. By default the DAST_TARGET_URL hostname is included in the allowed hosts list. Headers set using DAST_REQUEST_HEADERS are added to every request made to these hostnames.
DAST_SCOPE_EXCLUDE_ELEMENTSselectora[href='2.html'],css:.no-followComma-separated list of selectors that are ignored when scanning.
DAST_SCOPE_EXCLUDE_HOSTSList of stringssite.com,another.comHostnames included in this variable are considered excluded and connections are forcibly dropped.
DAST_SCOPE_EXCLUDE_URLSURLshttps://site.com/.*/sign-outThe URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, .* matches an arbitrary character sequence.
DAST_SCOPE_IGNORE_HOSTSList of stringssite.com,another.comHostnames included in this variable are accessed, not attacked, and not reported against.
DAST_TARGET_CHECK_SKIPbooleantrueSet to true to prevent DAST from checking that the target is available before scanning. Default: false.
DAST_TARGET_CHECK_TIMEOUTnumber60Time limit in seconds to wait for target availability. Default: 60s.
DAST_TARGET_PATHS_FILEstring/builds/project/urls.txtEnsures that the provided paths are always scanned. Set to a file path containing a list of URL paths relative to DAST_TARGET_URL. The file must be plain text with one path per line.
DAST_TARGET_PATHSstring/page1.html,/category1/page3.htmlEnsures that the provided paths are always scanned. Set to a comma-separated list of URL paths relative to DAST_TARGET_URL.
DAST_TARGET_URLURLhttps://site.comThe URL of the website to scan.
DAST_USE_CACHEbooleantrueSet to false to disable caching. Default: true. Note: Disabling cache can cause OOM events or DAST job timeouts.
SECURE_ANALYZERS_PREFIXURLregistry.organization.comSet the Docker registry base address from which to download the analyzer.