GitLab DAST

GitLab DAST

Category: DAST
License: Commercial (GitLab Ultimate)
Visit Website →

GitLab DAST is a built-in dynamic application security testing solution for GitLab Ultimate users.

It runs automatically in CI/CD pipelines and displays vulnerability findings directly in merge requests, enabling developers to fix security issues before code reaches production.

What is GitLab DAST?

GitLab DAST is part of GitLab’s comprehensive DevSecOps platform, providing automated security testing without requiring external tools or integrations.

The scanner runs as a pipeline job, testing deployed applications for vulnerabilities like SQL injection, cross-site scripting, and security misconfigurations.

The tool uses browser-based scanning that handles both traditional web applications and JavaScript-heavy single-page applications.

Note: The legacy proxy-based analyzer was deprecated in GitLab 16.9 and removed in GitLab 17.3. DAST version 5 now uses a unified browser-based approach.

Results integrate directly with GitLab’s workflow.

Vulnerabilities appear in merge request widgets, security dashboards, and the vulnerability management interface.

Developers can review, dismiss, or create issues for findings without leaving GitLab.

Key Features

Native Pipeline Integration

GitLab DAST runs as a standard CI/CD job defined in .gitlab-ci.yml.

There is no external service to configure or separate dashboard to manage.

Scan results flow directly into GitLab’s security features:

include:
  - template: DAST.gitlab-ci.yml

variables:
  DAST_WEBSITE: https://staging.example.com

Browser-Based Scanning

For modern single-page applications built with React, Vue, or Angular, GitLab DAST includes a browser-based scanner that:

  • Executes JavaScript to render dynamic content
  • Interacts with client-side routing
  • Handles OAuth and token-based authentication
  • Tests API calls made by the frontend
  • Captures vulnerabilities in dynamically loaded elements

API Security Testing

GitLab DAST supports testing REST, GraphQL, and SOAP APIs:

  • Imports OpenAPI/Swagger specifications
  • Tests each endpoint with security payloads
  • Supports authentication via headers or tokens
  • Validates API responses for security issues
  • Discovers undocumented endpoints through crawling

Merge Request Integration

When DAST runs on a merge request, findings appear directly in the MR widget:

  • New vulnerabilities introduced by the MR are highlighted
  • Existing vulnerabilities show current status
  • Developers can dismiss false positives with comments
  • Links to full vulnerability details are provided

Security Dashboard

The Security Dashboard aggregates findings across projects:

  • Tracks vulnerability trends over time
  • Shows severity distribution
  • Monitors remediation progress
  • Compares security posture between branches

On-Demand Scanning

Beyond pipeline execution, GitLab DAST supports on-demand scans:

  • Trigger scans outside CI/CD pipelines
  • Test arbitrary URLs without code changes
  • Schedule regular scans for production monitoring
  • Share scan profiles across teams

How to Use GitLab DAST

Basic Configuration

Add DAST to your pipeline using the GitLab template:

# .gitlab-ci.yml
include:
  - template: DAST.gitlab-ci.yml

stages:
  - build
  - test
  - deploy
  - dast

variables:
  DAST_WEBSITE: https://staging.example.com

Browser-Based Scanning for SPAs

Configure browser-based scanning for JavaScript applications:

include:
  - template: DAST.gitlab-ci.yml

variables:
  DAST_WEBSITE: https://staging.example.com
  DAST_BROWSER_SCAN: "true"
  DAST_BROWSER_ACTION_TIMEOUT: 10s
  DAST_BROWSER_CRAWL_TIMEOUT: 60m

Authenticated Scanning

Configure authentication for testing protected pages:

include:
  - template: DAST.gitlab-ci.yml

variables:
  DAST_WEBSITE: https://staging.example.com
  DAST_AUTH_URL: https://staging.example.com/login
  DAST_USERNAME: $DAST_USER
  DAST_PASSWORD: $DAST_PASS
  DAST_USERNAME_FIELD: username
  DAST_PASSWORD_FIELD: password
  DAST_FIRST_SUBMIT_FIELD: submit
  DAST_AUTH_VERIFICATION_URL: https://staging.example.com/dashboard

For token-based authentication:

variables:
  DAST_WEBSITE: https://api.example.com
  DAST_API_SPECIFICATION: https://api.example.com/openapi.json
  DAST_REQUEST_HEADERS: "Authorization: Bearer $API_TOKEN"

API Scanning

Test REST APIs using OpenAPI specifications:

include:
  - template: DAST-API.gitlab-ci.yml

variables:
  DAST_API_OPENAPI: https://api.example.com/openapi.yaml
  DAST_API_SPECIFICATION: "openapi"
  DAST_TARGET_URL: https://api.example.com

For GraphQL APIs:

include:
  - template: DAST-API.gitlab-ci.yml

variables:
  DAST_API_GRAPHQL: https://api.example.com/graphql
  DAST_TARGET_URL: https://api.example.com

Custom Scan Configuration

Fine-tune scan behavior with additional options:

include:
  - template: DAST.gitlab-ci.yml

variables:
  DAST_WEBSITE: https://staging.example.com
  DAST_FULL_SCAN_ENABLED: "true"  # Comprehensive vs quick scan
  DAST_SPIDER_MINS: 30             # Maximum crawl time
  DAST_TARGET_AVAILABILITY_TIMEOUT: 120  # Wait for target
  DAST_EXCLUDE_URLS: logout,delete  # Skip specific paths

dast:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == "main"

On-Demand Scans

Create and run on-demand scans via the GitLab UI or API:

# Create an on-demand scan via API
curl --request POST \
  --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  --header "Content-Type: application/json" \
  --data '{
    "name": "Production Security Scan",
    "target_url": "https://production.example.com",
    "scan_type": "dast",
    "scanner_profile_id": 1,
    "site_profile_id": 2
  }' \
  "https://gitlab.example.com/api/v4/projects/123/on_demand_scans"

Viewing Results

Access scan results through multiple interfaces:

  1. Merge Request Widget: Shows new vulnerabilities in the MR
  2. Pipeline Security Tab: Lists all findings from the scan
  3. Security Dashboard: Project or group-level vulnerability overview
  4. Vulnerability Report: Detailed list with filtering and export
# Export vulnerabilities via API
curl --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "https://gitlab.example.com/api/v4/projects/123/vulnerability_findings" \
  --output vulnerabilities.json

When to Use GitLab DAST

GitLab DAST is the natural choice for organizations already using GitLab for source control and CI/CD.

The native integration eliminates the friction of connecting external security tools.

Consider GitLab DAST when you need:

  • Native integration with GitLab CI/CD pipelines
  • Vulnerability findings in merge request reviews
  • Browser-based scanning for both traditional and SPA applications
  • API security testing for REST, GraphQL, and SOAP endpoints
  • Centralized security dashboard across projects
  • On-demand scanning for ad-hoc testing
  • Unified DevSecOps platform without tool sprawl

GitLab DAST works best when combined with GitLab’s other security features (SAST, SCA, Container Scanning) for comprehensive coverage.

Organizations using GitLab Free or Premium tiers would need to upgrade to Ultimate or consider standalone DAST tools.

Teams requiring advanced features like AI-powered testing, business logic security testing, or extensive customization may want to evaluate dedicated DAST platforms alongside or instead of GitLab DAST.

Other DAST Tools

Acunetix
Acunetix

Multi-Platform Easy-to-Use DAST

AppCheck
AppCheck

Former Internal Pentest Tool

Astra Security
Astra Security

AI-Powered Continuous Pentest Platform

Beagle Security
Beagle Security

AI-Powered Pentesting Platform

See all DAST tools