The site that you are currently viewing is a static version of the Software Factory documentation delivered with the

version v7.2.
For up-to-date documentation, see the latest version.

Dynamic Application Security Testing (DAST)

Test a running application for vulnerabilities with GitLab DAST
GitLab logo
GitLab Ultimate uses the same open source tool [OWASP Zed Attack Proxy] for analysis as ZAP. It’s already embedded in your engineering environment and results are directly published in the vulnerability report within GitLab.
Always use a staging environment with fake data, not on a production environment.

How does DAST Scanning Work?

The two main modes available for DAST are:

  • passive: inspects an application for vulnerabilities by simulating typical user interactions. It focuses on evaluating the application’s security in the context of standard user activities.
  • active scans: Active scans will check for vulnerabilities by injecting attack payloads into HTTP requests.
Tip

You can easily activate DAST by adding this configuration in your .gitlab-ci.yml file.