Black Duck Web Scanner 2026: Polaris Platform DAST

Black Duck Web Scanner (formerly Synopsys Web Scanner) is an enterprise DAST tool that runs on the Polaris Software Integrity Platform. It tests running web applications and APIs for security vulnerabilities using a headless browser engine and proof-based verification.

Black Duck Polaris Platform vulnerability triage interface

The scanner is part of Black Duck’s larger security portfolio, which includes Coverity (SAST), Black Duck SCA, and Seeker (IAST). Over 4,000 organizations use Black Duck products. The company has held Gartner Magic Quadrant Leader status for 8 consecutive years as of 2025.

Synopsys divested its Software Integrity Group to Clearlake Capital and Francisco Partners in 2024. The products now operate under the Black Duck Software brand.

What is Black Duck Web Scanner?

Black Duck Web Scanner performs automated security testing against live or staging web applications. It crawls applications using a headless browser that executes JavaScript, handles SPAs, and intercepts AJAX calls. Then it fires attack payloads and checks responses for vulnerabilities.

What sets it apart from many DAST tools is proof-based verification. When the scanner finds a potential flaw, it attempts to confirm the vulnerability is real and exploitable. This cuts down false positives and gives development teams concrete evidence of the issue.

The scanner plugs into the Polaris platform alongside Coverity (SAST) and Black Duck SCA. Findings from all three testing methods appear in a single dashboard, letting security teams see whether a code-level flaw identified by SAST is also exploitable at runtime.

Feature	Details
Platform	Polaris Software Integrity Platform
Deployment	Cloud (SaaS) and on-premises
Detection approach	DAST with proof-based verification
Browser engine	Headless browser with full JavaScript execution
API testing	REST, GraphQL, OpenAPI/Swagger import
Authentication	Form-based, OAuth, SSO, custom auth
Integration	SAST + SCA + DAST correlation on Polaris
CI/CD	GitHub Actions, GitLab CI, Azure DevOps, Jenkins
Compliance	OWASP Top 10 mapping, audit-ready reports
Gartner status	Leader, 8 consecutive years (2025)

Key Features

Proof-Based Verification

When the scanner detects a potential vulnerability, it attempts to exploit it safely to confirm the issue is real. Each confirmed finding includes proof of exploitability, reducing false positive triage.

Headless Browser Engine

Full JavaScript rendering for testing modern SPAs, React/Angular/Vue applications, and dynamic content. Intercepts AJAX calls and maintains session state throughout the scan.

Correlated Findings

Polaris correlates DAST results with Coverity SAST and Black Duck SCA findings. When static analysis flags a code pattern and dynamic testing confirms it’s exploitable, that finding gets higher confidence.

Vulnerability Coverage

The scanner tests for the standard set of web application vulnerabilities:

SQL Injection: Error-based, blind, and time-based
Cross-Site Scripting: Reflected, stored, and DOM-based XSS
XXE: XML External Entity injection
SSRF: Server-Side Request Forgery
Insecure Deserialization: Object injection attacks
Security Misconfiguration: Headers, exposed files, default credentials
Sensitive Data Exposure: Unencrypted data, leaked tokens

API Security Testing

REST API endpoint discovery and testing, GraphQL query analysis, and OpenAPI/Swagger specification import. The scanner also tests API authentication mechanisms and access control.

Policy Enforcement

Organizations define security policies that span testing types. For example, you can require no high-severity DAST findings before production deployment while allowing medium-severity issues with mitigation plans.

Black Duck Polaris Platform application security risk visibility dashboard

Unified Dashboard

All findings from Coverity (SAST), Black Duck SCA, and the Web Scanner (DAST) appear in the same Polaris dashboard. Security teams track vulnerabilities across their entire application portfolio without switching between separate tools.

Integrations

CI/CD Platforms

GitHub Actions

GitLab CI

Azure DevOps

Jenkins

Black Duck Ecosystem

Coverity SAST

Black Duck SCA

Seeker IAST

Software Risk Manager

Getting Started

Access Polaris — Log in to your Polaris organization (cloud) or deploy the on-premises scanner package. Configure your organization and project structure.

Add your application — Navigate to Projects, create a new project, and configure DAST scanning. Provide the target URL and set up authentication (form-based login, OAuth, SSO, or custom).

Configure scan settings — Define scan scope (included/excluded URLs), import OpenAPI specs for API testing, and set scan policies based on your organization’s risk tolerance.

Run and review — Launch scans on-demand or schedule recurring assessments. Review findings in the Polaris dashboard with proof-of-exploit details for each confirmed vulnerability.

Start with Staging

Run your first DAST scan against a staging environment, not production. This avoids any risk of the scanner’s attack payloads affecting live users, and lets you validate authentication configuration before scanning at scale.

CI/CD Integration

GitHub Actions

name: Black Duck DAST Scan
on:
  push:
    branches: [main]

jobs:
  dast-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Black Duck Web Scanner
        uses: blackducksoftware/polaris-action@v1
        with:
          polaris-url: ${{ secrets.POLARIS_URL }}
          polaris-token: ${{ secrets.POLARIS_TOKEN }}
          scan-type: dast
          target-url: ${{ vars.STAGING_URL }}

      - name: Check for Critical Findings
        run: |
          polaris-cli findings \
            --project-name ${{ github.repository }} \
            --severity critical,high \
            --fail-on-findings

When to Use Black Duck Web Scanner

Black Duck Web Scanner fits enterprise teams that want DAST integrated with their SAST and SCA tools on a single platform. The proof-based verification is genuinely useful for reducing false positive noise.

Good fit for:

Organizations already using Coverity or Black Duck SCA that want correlated findings
Enterprise teams managing large application portfolios with centralized policy enforcement
Compliance-driven environments needing audit-ready reports
Teams testing JavaScript-heavy SPAs and modern web frameworks

Not the best fit if:

You want a free or open-source scanner — try ZAP instead
You need a standalone DAST tool without a platform — simpler single-purpose tools exist
You’re a small team scanning a few applications — the enterprise platform adds overhead you may not need

Note: Formerly Synopsys Web Scanner. Synopsys sold Software Integrity Group to Clearlake Capital and Francisco Partners in 2024, now operating as Black Duck Software.

Frequently Asked Questions

What is Black Duck Web Scanner?

Black Duck Web Scanner (formerly Synopsys Web Scanner) is an enterprise DAST solution on the Polaris Platform. It uses a headless browser engine and proof-based vulnerability verification to test running web applications and APIs.

Is Black Duck Web Scanner free or commercial?

Black Duck Web Scanner is a commercial enterprise product available through the Polaris Software Integrity Platform (cloud) or as an on-premises deployment. Black Duck has been a Gartner Magic Quadrant Leader for 8 consecutive years.

What vulnerabilities does Black Duck Web Scanner detect?

The scanner tests for OWASP Top 10 vulnerabilities including SQL injection, XSS, XXE, SSRF, and insecure deserialization. Proof-based verification confirms exploitability to reduce false positives.

How does Black Duck Web Scanner compare to alternatives?

Black Duck differentiates through proof-based detection that confirms exploitability, plus integration with the Polaris platform for correlated SAST, SCA, and DAST findings in a single dashboard.

What happened to Synopsys Web Scanner?

In 2024, Synopsys divested its Software Integrity Group to Clearlake Capital and Francisco Partners. The products were rebranded under Black Duck Software. The web scanner continues to receive updates under new ownership.