Configure DAST scanning

3 minute read

Configure dynamic application security testing (DAST) scanning to identify security vulnerabilities in running web applications by testing them from an external perspective. DAST scanning simulates real-world attacks against deployed applications to discover runtime security issues, authentication bypasses, and configuration vulnerabilities that static analysis cannot detect. Before you begin, ensure you have a deployed web application environment accessible for testing and the necessary permissions to configure security scanning tools.

Understanding DAST scanning approach

Unlike static analysis tools, DAST scanners test live applications and require explicit workflow configuration. DAST tools are not available for implicit ASPM activation because they need specific target URLs and deployed application environments.

To prepare for DAST scanning:

  1. Identify your target application environments and ensure they are accessible for security testing:

    • Applications must be deployed and running.

    • Network access must allow external scanning tools to reach your applications.

    • Consider using staging or testing environments to avoid impacting production systems.

  2. Verify you have the necessary authentication credentials and access permissions for your target applications

  3. Plan your scanning schedule to avoid conflicts with application maintenance or high-traffic periods

DAST scanning works best when integrated into deployment pipelines after applications are successfully deployed to target environments.

Configure explicit workflow DAST scanning

DAST scanning requires explicit workflow configuration with specific target URLs and authentication details.

To configure DAST scanning in your workflows:

  1. Add DAST scanning actions to your workflow YAML file in the appropriate job step. Available DAST scanners include:

    • StackHawk: Modern DAST with developer-focused integration and comprehensive web application security testing.

    • ZAP (OWASP): Open-source web application security scanner with flexible configuration options.

  2. Configure scanner authentication and environment access:

    • Create the required secrets in your CloudBees Unify organization or component settings for API keys and authentication tokens.

    • Set up target environment URLs ensuring they are accessible from the scanning infrastructure.

    • Configure application-specific authentication flows if your applications require login credentials.

      Common authentication patterns include:

      • API key authentication: Most DAST scanners require API tokens stored as secrets

      • Target URL configuration: Applications must be accessible via HTTP/HTTPS endpoints

      • Application credentials: Some scanners support authenticated scanning with user credentials

  3. Customize scan parameters for your application:

    • Define scan scope and URL patterns to include or exclude from testing.

    • Configure crawling rules and depth limits appropriate for your application structure.

    • Set scan intensity levels and timeout values based on application size and complexity.

      Example DAST configuration:

      - name: Scan with StackHawk uses: https://github.com/cloudbees-io/stackhawk-dast-scan-environment@v1 with: api-key: ${{ secrets.STACKHAWK_API_KEY }} app-id: "your-app-id" env: "staging"
DAST scanning can impact application performance and may trigger security alerts. Always coordinate with your operations team and consider using dedicated testing environments.

Manage scan timing and deployment integration

DAST scanning requires careful timing coordination with your deployment pipeline to ensure applications are ready for testing.

To integrate DAST scanning effectively:

  1. Schedule DAST scans after successful application deployment:

    • Wait for deployment completion and health checks before initiating scans.

    • Use workflow dependencies to ensure proper sequencing.

    • Consider application startup times and readiness probes.

  2. Configure appropriate scan timing:

    • Set realistic timeout values for scan completion.

    • Account for application complexity and response times.

    • Plan for scan duration in your overall pipeline timing.

  3. Handle scan results and pipeline decisions:

    • Define severity thresholds for build success or failure.

    • Configure notifications for security teams when issues are discovered.

    • Integrate with your incident response processes for critical findings.

Review and manage DAST findings

DAST scanners identify runtime vulnerabilities that may not be detected by static analysis, requiring specialized triage and remediation approaches.

DAST results are shown in the security insights dashboard, not in the security center.

To review DAST findings:

  1. Navigate to Analytics  Security insights in your organization.

  2. In the Vulnerabilities by security scan type chart, select the DAST total or bar to display vulnerability details for DAST scans.

  3. Understand DAST-specific finding types and prioritization:

    • Runtime vulnerabilities such as injection attacks and authentication bypasses.

    • Configuration issues in deployed applications.

    • Network-level security concerns and exposure risks.

  4. Coordinate with development and operations teams for effective remediation:

    • Share findings with both development teams (for code fixes) and operations teams (for configuration changes).

    • Prioritize findings based on application criticality and exposure.