Available CI/CD variables
These CI/CD variables are specific to the browser-based DAST analyzer. They can be used to customize the behavior of DAST to your requirements. For authentication CI/CD variables, see Authentication.
CI/CD variable | Type | Example | Description |
---|---|---|---|
DAST_ADVERTISE_SCAN |
boolean | true |
Set to true to add a Via header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. Introduced in GitLab 14.1. |
DAST_AUTH_COOKIES |
string | Set to a comma-separated list of cookie names to specify which cookies are used for authentication. | |
DAST_AUTH_DISABLE_CLEAR_FIELDS |
boolean | Disables clearing of username and password fields before attempting manual login. Set to false by default. |
|
DAST_AUTH_REPORT |
boolean | Set to true to generate a report detailing steps taken during the authentication process. You must also define gl-dast-debug-auth-report.html as a CI job artifact to be able to access the generated report. The report's content aids when debugging authentication failures. |
|
DAST_AUTH_TYPE |
string | The authentication type to use. Example: basic-digest . |
|
DAST_AUTH_URL |
URL | The URL of the page containing the login form on the target website. DAST_USERNAME and DAST_PASSWORD are submitted with the login form to create an authenticated scan. Example: https://login.example.com . |
|
DAST_AUTH_VERIFICATION_LOGIN_FORM |
boolean | Verifies successful authentication by checking for the absence of a login form after the login form has been submitted. | |
DAST_AUTH_VERIFICATION_SELECTOR |
selector | A selector describing an element whose presence is used to determine if authentication has succeeded after the login form is submitted. Example: css:.user-photo . |
|
DAST_AUTH_VERIFICATION_URL |
URL | A URL that is compared to the URL in the browser to determine if authentication has succeeded after the login form is submitted. Example: "https://example.com/loggedin_page" . Introduced in GitLab 13.8. |
|
DAST_BROWSER_PATH_TO_LOGIN_FORM |
selector | A comma-separated list of selectors representing elements to click on prior to entering the DAST_USERNAME and DAST_PASSWORD into the login form. Example: "css:.navigation-menu,css:.login-menu-item" . Introduced in GitLab 14.1. |
|
DAST_BROWSER_ACTION_STABILITY_TIMEOUT |
Duration string | 800ms |
The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after completing an action. |
DAST_BROWSER_ACTION_TIMEOUT |
Duration string | 7s |
The maximum amount of time to wait for a browser to complete an action. |
DAST_BROWSER_ALLOWED_HOSTS |
List of strings | site.com,another.com |
Hostnames included in this variable are considered in scope when crawled. By default the DAST_WEBSITE hostname is included in the allowed hosts list. Headers set using DAST_REQUEST_HEADERS are added to every request made to these hostnames. |
DAST_BROWSER_COOKIES |
dictionary | abtesting_group:3,region:locked |
A cookie name and value to be added to every request. |
DAST_BROWSER_CRAWL_GRAPH |
boolean | true |
Set to true to generate an SVG graph of navigation paths visited during crawl phase of the scan. You must also define gl-dast-crawl-graph.svg as a CI job artifact to be able to access the generated graph. |
DAST_BROWSER_CRAWL_TIMEOUT |
Duration string | 5m |
The maximum amount of time to wait for the crawl phase of the scan to complete. Defaults to 24h . |
DAST_BROWSER_DEVTOOLS_LOG |
string | Default:messageAndBody,truncate:2000 |
Set to log protocol messages between DAST and the Chromium browser. |
DAST_BROWSER_DOM_READY_AFTER_TIMEOUT |
Duration string | 200ms |
Define how long to wait for updates to the DOM before checking a page is stable. Defaults to 500ms . |
DAST_BROWSER_ELEMENT_TIMEOUT |
Duration string | 600ms |
The maximum amount of time to wait for an element before determining it is ready for analysis. |
DAST_BROWSER_EXCLUDED_ELEMENTS |
selector | a[href='2.html'],css:.no-follow |
Comma-separated list of selectors that are ignored when scanning. |
DAST_BROWSER_EXCLUDED_HOSTS |
List of strings | site.com,another.com |
Hostnames included in this variable are considered excluded and connections are forcibly dropped. |
DAST_BROWSER_EXTRACT_ELEMENT_TIMEOUT |
Duration string | 5s |
The maximum amount of time to allow the browser to extract newly found elements or navigations. |
DAST_BROWSER_FILE_LOG |
List of strings | brows:debug,auth:debug |
A list of modules and their intended logging level for use in the file log. |
DAST_BROWSER_FILE_LOG_PATH |
string | /output/browserker.log |
Set to the path of the file log. |
DAST_BROWSER_IGNORED_HOSTS |
List of strings | site.com,another.com |
Hostnames included in this variable are accessed, not attacked, and not reported against. |
DAST_BROWSER_INCLUDE_ONLY_RULES |
List of strings | 16.1,16.2,16.3 |
Comma-separated list of check identifiers to use for the scan. |
DAST_BROWSER_LOG |
List of strings | brows:debug,auth:debug |
A list of modules and their intended logging level for use in the console log. |
DAST_BROWSER_LOG_CHROMIUM_OUTPUT |
boolean | true |
Set to true to log Chromium STDOUT and STDERR . |
DAST_BROWSER_MAX_ACTIONS |
number | 10000 |
The maximum number of actions that the crawler performs. For example, selecting a link, or filling a form. |
DAST_BROWSER_MAX_DEPTH |
number | 10 |
The maximum number of chained actions that the crawler takes. For example, Click -> Form Fill -> Click is a depth of three. |
DAST_BROWSER_MAX_RESPONSE_SIZE_MB |
number | 15 |
The maximum size of a HTTP response body. Responses with bodies larger than this are blocked by the browser. Defaults to 10 MB. |
DAST_BROWSER_NAVIGATION_STABILITY_TIMEOUT |
Duration string | 7s |
The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after a navigation completes. Defaults to 800ms . |
DAST_BROWSER_NAVIGATION_TIMEOUT |
Duration string | 15s |
The maximum amount of time to wait for a browser to navigate from one page to another. |
DAST_BROWSER_NUMBER_OF_BROWSERS |
number | 3 |
The maximum number of concurrent browser instances to use. For instance runners on GitLab.com, we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but are likely to produce little benefit after five to seven instances. |
DAST_BROWSER_PAGE_LOADING_SELECTOR |
selector | css:#page-is-loading |
Selector that when is no longer visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_BROWSER_PAGE_READY_SELECTOR . |
DAST_BROWSER_PAGE_READY_SELECTOR |
selector | css:#page-is-ready |
Selector that when detected as visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_BROWSER_PAGE_LOADING_SELECTOR . |
DAST_BROWSER_PASSIVE_CHECK_WORKERS |
int | 5 |
Number of workers that passive scan in parallel. Recommend setting to the number of available CPUs. |
DAST_BROWSER_SCAN |
boolean | true |
Required to be true to run a browser-based scan. |
DAST_BROWSER_SEARCH_ELEMENT_TIMEOUT |
Duration string | 3s |
The maximum amount of time to allow the browser to search for new elements or user actions. |
DAST_BROWSER_STABILITY_TIMEOUT |
Duration string | 7s |
The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis. |
DAST_EXCLUDE_RULES |
string | 10020,10026 |
Set to a comma-separated list of ZAP Vulnerability Rule IDs to exclude them from running during the scan. Rule IDs are numbers and can be found from the DAST log or on the ZAP project. |
DAST_EXCLUDE_URLS |
URLs | https://example.com/.*/sign-out |
The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, .* matches an arbitrary character sequence. |
DAST_FF_ENABLE_BAS |
boolean | true |
Set to true to enable Breach and Attack Simulation during this DAST scan. |
DAST_FIRST_SUBMIT_FIELD |
selector | A selector describing the element that is clicked on to submit the username form of a multi-page login process. For example, css:button[type='user-submit'] . Introduced in GitLab 12.4. |
|
DAST_FULL_SCAN_ENABLED |
boolean | true |
Set to true to run both passive and active checks. Default: false
|
DAST_PASSWORD |
string | The password to authenticate to in the website. Example: P@55w0rd!
|
|
DAST_PASSWORD_FIELD |
selector | A selector describing the element used to enter the password on the login form. Example: id:password
|
|
DAST_PATHS |
string | /page1.html,/category1/page3.html |
Limit the paths scanned to a provided list. Set to a comma-separated list of URL paths relative to DAST_WEBSITE . |
DAST_PATHS_FILE |
string | /builds/project/urls.txt |
Limit the paths scanned to a provided list. Set to a file path containing a list of URL paths relative to DAST_WEBSITE . The file must be plain text with one path per line. |
DAST_PKCS12_CERTIFICATE_BASE64 |
string | ZGZkZ2p5NGd... |
The PKCS12 certificate used for sites that require Mutual TLS. Must be encoded as base64 text. |
DAST_PKCS12_PASSWORD |
string | password |
The password of the certificate used in DAST_PKCS12_CERTIFICATE_BASE64 . Create sensitive custom CI/CI variables using the GitLab UI. |
DAST_REQUEST_HEADERS |
string | Cache-control:no-cache |
Set to a comma-separated list of request header names and values. |
DAST_SKIP_TARGET_CHECK |
boolean | true |
Set to true to prevent DAST from checking that the target is available before scanning. Default: false . |
DAST_SUBMIT_FIELD |
selector | A selector describing the element clicked on to submit the login form for a single-page login form, or the password form for a multi-page login form. For example, css:button[type='submit'] . Introduced in GitLab 12.4. |
|
DAST_TARGET_AVAILABILITY_TIMEOUT |
number | 60 |
Time limit in seconds to wait for target availability. |
DAST_USERNAME |
string | The username to authenticate to in the website. Example: admin
|
|
DAST_USERNAME_FIELD |
selector | A selector describing the element used to enter the username on the login form. Example: name:username
|
|
DAST_WEBSITE |
URL | https://example.com |
The URL of the website to scan. |
SECURE_ANALYZERS_PREFIX |
URL | registry.organization.com |
Set the Docker registry base address from which to download the analyzer. |