@@ -145,7 +145,14 @@ the site during a scan could lead to inaccurate results.
...
@@ -145,7 +145,14 @@ the site during a scan could lead to inaccurate results.
### Authentication
### Authentication
It's also possible to authenticate the user before performing the DAST checks:
It's also possible to authenticate the user before performing the DAST checks.
Create masked variables to pass the credentials that DAST will use.
To create masked variables for the username and password, see [Create a custom variable in the UI](../../../ci/variables/README.md#create-a-custom-variable-in-the-ui).
Note that the key of the username variable must be `DAST_USERNAME`
and the key of the password variable must be `DAST_PASSWORD`.
Other variables that are related to authenticated scans are:
```yaml
```yaml
include:
include:
...
@@ -154,8 +161,6 @@ include:
...
@@ -154,8 +161,6 @@ include:
variables:
variables:
DAST_WEBSITE:https://example.com
DAST_WEBSITE:https://example.com
DAST_AUTH_URL:https://example.com/sign-in
DAST_AUTH_URL:https://example.com/sign-in
DAST_USERNAME:john.doe@example.com
DAST_PASSWORD:john-doe-password
DAST_USERNAME_FIELD:session[user]# the name of username field at the sign-in HTML form
DAST_USERNAME_FIELD:session[user]# the name of username field at the sign-in HTML form
DAST_PASSWORD_FIELD:session[password]# the name of password field at the sign-in HTML form
DAST_PASSWORD_FIELD:session[password]# the name of password field at the sign-in HTML form
DAST_AUTH_EXCLUDE_URLS:http://example.com/sign-out,http://example.com/sign-out-2# optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between
DAST_AUTH_EXCLUDE_URLS:http://example.com/sign-out,http://example.com/sign-out-2# optional, URLs to skip during the authenticated scan; comma-separated, no spaces in between