Available CI/CD variables
These CI/CD variables are specific to the browser-based DAST analyzer. They can be used to customize the behavior of DAST to your requirements.
Scanner behavior
These variables control how the scan is conducted and where its results are stored.
| CI/CD variable | Type | Example | Description |
|---|---|---|---|
DAST_CHECKS_TO_EXCLUDE | string | 552.2,78.1 | Comma-separated list of check identifiers to exclude from the scan. For identifiers, see vulnerability checks. |
DAST_CHECKS_TO_RUN | List of strings | 16.1,16.2,16.3 | Comma-separated list of check identifiers to use for the scan. For identifiers, see vulnerability checks. |
DAST_CRAWL_GRAPH | boolean | true | Set to true to generate an SVG graph of navigation paths visited during crawl phase of the scan. You must also define gl-dast-crawl-graph.svg as a CI job artifact to be able to access the generated graph. Defaults to false. |
DAST_FULL_SCAN | boolean | true | Set to true to run both passive and active checks. Default is false. |
DAST_LOG_BROWSER_OUTPUT | boolean | true | Set to true to log Chromium STDOUT and STDERR. |
DAST_LOG_CONFIG | List of strings | brows:debug,auth:debug | A list of modules and their intended logging level for use in the console log. |
DAST_LOG_DEVTOOLS_CONFIG | string | Default:messageAndBody,truncate:2000 | Set to log protocol messages between DAST and the Chromium browser. |
DAST_LOG_FILE_CONFIG | List of strings | brows:debug,auth:debug | A list of modules and their intended logging level for use in the file log. |
DAST_LOG_FILE_PATH | string | /output/browserker.log | Set to the path of the file log. Default is gl-dast-scan.log. |
SECURE_ANALYZERS_PREFIX | URL | registry.organization.com | Set the Docker registry base address from which to download the analyzer. |
Elements, actions, and timeouts
These variables tell the scanner where to look for certain elements, which actions to take, and how long to wait for operations to complete.
| CI/CD variable | Type | Example | Description |
|---|---|---|---|
DAST_ACTIVE_SCAN_TIMEOUT | Duration string | 3h | The maximum amount of time to wait for the active scan phase of the scan to complete. Defaults to 3h. |
DAST_ACTIVE_SCAN_WORKER_COUNT | number | 3 | The number of active checks to run in parallel. Defaults to 3. |
DAST_CRAWL_EXTRACT_ELEMENT_TIMEOUT | Duration string | 5s | The maximum amount of time to allow the browser to extract newly found elements or navigations. Defaults to 5s. |
DAST_CRAWL_MAX_ACTIONS | number | 10000 | The maximum number of actions that the crawler performs. Example actions include selecting a link, or filling out a form. Defaults to 10000. |
DAST_CRAWL_MAX_DEPTH | number | 10 | The maximum number of chained actions that the crawler takes. For example, Click, Form Fill, Click is a depth of three. Defaults to 10. |
DAST_CRAWL_SEARCH_ELEMENT_TIMEOUT | Duration string | 3s | The maximum amount of time to allow the browser to search for new elements or user actions. Defaults to 3s. |
DAST_CRAWL_TIMEOUT | Duration string | 5m | The maximum amount of time to wait for the crawl phase of the scan to complete. Defaults to 24h. |
DAST_CRAWL_WORKER_COUNT | number | 3 | The maximum number of concurrent browser instances to use. For instance runners on GitLab.com, we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but are likely to produce little benefit after five to seven instances. The default value is dynamic, equal to the number of usable logical CPUs. |
DAST_PAGE_DOM_READY_TIMEOUT | Duration string | 7s | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after a navigation completes. Defaults to 6s. |
DAST_PAGE_DOM_STABLE_WAIT | Duration string | 200ms | Define how long to wait for updates to the DOM before checking a page is stable. Defaults to 500ms. |
DAST_PAGE_ELEMENT_READY_TIMEOUT | Duration string | 600ms | The maximum amount of time to wait for an element before determining it is ready for analysis. Defaults to 300ms. |
DAST_PAGE_IS_LOADING_ELEMENT | selector | css:#page-is-loading | Selector that, when no longer visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_READY_ELEMENT. |
DAST_PAGE_IS_READY_ELEMENT | selector | css:#page-is-ready | Selector that when detected as visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_LOADING_ELEMENT. |
DAST_PAGE_MAX_RESPONSE_SIZE_MB | number | 15 | The maximum size of a HTTP response body. Responses with bodies larger than this are blocked by the browser. Defaults to 10 MB. |
DAST_PAGE_READY_AFTER_ACTION_TIMEOUT | Duration string | 7s | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis. Defaults to 7s. |
DAST_PAGE_READY_AFTER_NAVIGATION_TIMEOUT | Duration string | 15s | The maximum amount of time to wait for a browser to navigate from one page to another. Defaults to 15s. |
DAST_PASSIVE_SCAN_WORKER_COUNT | int | 5 | Number of workers that passive scan in parallel. Defaults to the number of available CPUs. |
DAST_PKCS12_CERTIFICATE_BASE64 | string | ZGZkZ2p5NGd... | The PKCS12 certificate used for sites that require Mutual TLS. Must be encoded as base64 text. |
DAST_PKCS12_PASSWORD | string | password | The password of the certificate used in DAST_PKCS12_CERTIFICATE_BASE64. Create sensitive custom CI/CI variables using the GitLab UI. |
DAST_REQUEST_ADVERTISE_SCAN | boolean | true | Set to true to add a Via: GitLab DAST <version> header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. Default: false. |
DAST_REQUEST_COOKIES | dictionary | abtesting_group:3,region:locked | A cookie name and value to be added to every request. |
DAST_REQUEST_HEADERS | String | Cache-control:no-cache | Set to a comma-separated list of request header names and values. The following headers are not supported: content-length, cookie2, keep-alive, hosts, trailer, transfer-encoding, and all headers with a proxy- prefix. |
DAST_SCOPE_ALLOW_HOSTS | List of strings | site.com,another.com | Hostnames included in this variable are considered in scope when crawled. By default the DAST_TARGET_URL hostname is included in the allowed hosts list. Headers set using DAST_REQUEST_HEADERS are added to every request made to these hostnames. |
DAST_SCOPE_EXCLUDE_ELEMENTS | selector | a[href='2.html'],css:.no-follow | Comma-separated list of selectors that are ignored when scanning. |
DAST_SCOPE_EXCLUDE_HOSTS | List of strings | site.com,another.com | Hostnames included in this variable are considered excluded and connections are forcibly dropped. |
DAST_SCOPE_IGNORE_HOSTS | List of strings | site.com,another.com | Hostnames included in this variable are accessed, not attacked, and not reported against. |
DAST_TARGET_CHECK_SKIP | boolean | true | Set to true to prevent DAST from checking that the target is available before scanning. Default: false. |
DAST_TARGET_CHECK_TIMEOUT | number | 60 | Time limit in seconds to wait for target availability. Default: 60s. |
DAST_TARGET_PATHS_FILE | string | /builds/project/urls.txt | Ensures that the provided paths are always scanned. Set to a file path containing a list of URL paths relative to DAST_TARGET_URL. The file must be plain text with one path per line. |
DAST_TARGET_PATHS | string | /page1.html,/category1/page3.html | Ensures that the provided paths are always scanned. Set to a comma-separated list of URL paths relative to DAST_TARGET_URL. |
DAST_TARGET_URL | URL | https://site.com | The URL of the website to scan. |
DAST_USE_CACHE | boolean | true | Set to false to disable caching. Default: true. Note: Disabling cache can cause OOM events or DAST job timeouts. |
Authentication
These variables tell the scanner how to authenticate with your application.
| CI/CD variable | Type | Example | Description |
|---|---|---|---|
DAST_AUTH_AFTER_LOGIN_ACTIONS | string | click(on=id:remember-me),click(on=css:.continue) | A comma-separated list of actions to be run after login but before login verification. Currently supports click actions. |
DAST_AUTH_BEFORE_LOGIN_ACTIONS | selector | css:.user,id:show-login-form | A comma-separated list of selectors representing elements to click on prior to entering the DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD into the login form. |
DAST_AUTH_CLEAR_INPUT_FIELDS | boolean | true | Disables clearing of username and password fields before attempting manual login. Set to false by default. |
DAST_AUTH_COOKIE_NAMES | string | sessionID,groupName | Set to a comma-separated list of cookie names to specify which cookies are used for authentication. |
DAST_AUTH_FIRST_SUBMIT_FIELD | selector | css:input[type=submit] | A selector describing the element that is clicked on to submit the username form of a multi-page login process. |
DAST_AUTH_NEGOTIATE_DELEGATION | string | *.example.com,example.com,*.EXAMPLE.COM,EXAMPLE.COM | Which servers should be allowed for integrated authentication and delegation. This property sets two Chromium policies: AuthServerAllowlist and AuthNegotiateDelegateAllowlist. Introduced in GitLab 17.6. |
DAST_AUTH_PASSWORD | String | P@55w0rd! | The password to authenticate to in the website. |
DAST_AUTH_PASSWORD_FIELD | selector | name:password | A selector describing the element used to enter the password on the login form. |
DAST_AUTH_SUBMIT_FIELD | selector | css:input[type=submit] | A selector describing the element clicked on to submit the login form for a single-page login form, or the password form for a multi-page login form. |
DAST_AUTH_SUCCESS_IF_AT_URL | URL | https://www.site.com/welcome | A URL that is compared to the URL in the browser to determine if authentication has succeeded after the login form is submitted. |
DAST_AUTH_SUCCESS_IF_ELEMENT_FOUND | selector | css:.user-avatar | A selector describing an element whose presence is used to determine if authentication has succeeded after the login form is submitted. |
DAST_AUTH_SUCCESS_IF_NO_LOGIN_FORM | boolean | true | Verifies successful authentication by checking for the absence of a login form after the login form has been submitted. This success check is enabled by default. |
DAST_AUTH_TYPE | string | basic-digest | The authentication type to use. |
DAST_AUTH_URL | URL | https://www.site.com/login | The URL of the page containing the login form on the target website. DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD are submitted with the login form to create an authenticated scan. |
DAST_AUTH_USERNAME | string | user@email.com | The username to authenticate to in the website. |
DAST_AUTH_USERNAME_FIELD | selector | name:username | A selector describing the element used to enter the username on the login form. |
DAST_SCOPE_EXCLUDE_URLS | URLs | https://site.com/.*/sign-out | The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, .* matches an arbitrary character sequence. |
DAST_AUTH_REPORT | boolean | true | Set to true to generate a report detailing steps taken during the authentication process. You must also define gl-dast-debug-auth-report.html as a CI job artifact to be able to access the generated report. The report’s content aids when debugging authentication failures. Defaults to false. |
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support
