Commit 33eef87b authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Add DAST to Auto DevOps docs

parent 8c93191a
......@@ -21,6 +21,7 @@ project in an easy and automatic way:
1. [Auto Code Quality](#auto-code-quality)
1. [Auto SAST (Static Application Security Testing)](#auto-sast)
1. [Auto SAST for Docker images](#auto-sast-for-docker-images)
1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast)
1. [Auto Browser Performance Testing](#auto-browser-performance-testing)
1. [Auto Review Apps](#auto-review-apps)
1. [Auto Deploy](#auto-deploy)
......@@ -194,8 +195,10 @@ Auto Code Quality uses the open source
[`codeclimate` image](https://hub.docker.com/r/codeclimate/codeclimate/) to run
static analysis and other code checks on the current code. The report is
created, and is uploaded as an artifact which you can later download and check
out. In GitLab Enterprise Edition Starter, differences between the source and
target branches are
out.
In GitLab Enterprise Edition Starter, differences between the source and
target branches are also
[shown in the merge request widget](../../user/project/merge_requests/code_quality_diff.md).
### Auto SAST
......@@ -208,7 +211,8 @@ analysis on the current code and checks for potential security issues. Once the
report is created, it's uploaded as an artifact which you can later download and
check out.
Any security warnings are also [shown in the merge request widget](../../user/project/merge_requests/sast.md).
In GitLab Enterprise Edition Ultimate, any security warnings are also
[shown in the merge request widget](../../user/project/merge_requests/sast.md).
### Auto SAST for Docker images
......@@ -223,6 +227,19 @@ check out.
In GitLab Enterprise Edition Ultimate, any security warnings are also
[shown in the merge request widget](../../user/project/merge_requests/sast_docker.md).
### Auto DAST
> Introduced in [GitLab Enterprise Edition Ultimate][ee] 10.4.
Dynamic Application Security Testing (DAST) uses the
popular open source tool [OWASP ZAProxy](https://github.com/zaproxy/zaproxy)
to perform an analysis on the current code and checks for potential security
issues. Once the report is created, it's uploaded as an artifact which you can
later download and check out.
In GitLab Enterprise Edition Ultimate, any security warnings are also
[shown in the merge request widget](../../user/project/merge_requests/dast.md).
### Auto Browser Performance Testing
> Introduced in [GitLab Enterprise Edition Premium][ee] 10.4.
......
......@@ -11,25 +11,26 @@ by implicitly using [Auto DAST](../../../topics/autodevops/index.md#auto-dast)
that is provided by [Auto DevOps](../../../topics/autodevops/index.md).
Going a step further, GitLab can show the vulnerability list right in the merge
request widget area:
request widget area.
![DAST Widget](img/dast-all.png)
By clicking on vlunerability you will be able to see details and url affected:
By clicking on vulnerability you will be able to see the details and the URL(s)
affected.
![DAST Widget Clicked](img/dast-single.png)
## Use cases
It helps you automatically find security vulnerabilities in your web applications
while you are developing and testing your applications
while you are developing and testing your applications.
## How it works
In order for the report to show in the merge request, you need to specify a
`dast` job (exact name) that will analyze the running application and upload the resulting
`gl-dast-report.json` file as an artifact. GitLab will then check this file and
show the information inside the merge request.
`dast` job (exact name) that will analyze the running application and upload the
resulting `gl-dast-report.json` file (exact filename) as an artifact. GitLab
will then check this file and show the information inside the merge request.
This JSON file needs to be the only artifact file for the job. If you try
to also include other files, it will break the vulnerability display in the
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment