Dastardly

Integrating Dastardly with your CI/CD platform (generic instructions)

  • Last updated: January 29, 2024

  • Read time: 2 Minutes

Note

Specific instructions are available for integrating Dastardly with the following CI/CD platforms:

You can integrate Dastardly with any CI/CD platform. Integration enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.

For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.

To integrate Dastardly with your CI/CD pipeline, include the following docker run command in your pipeline script:

docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \ BURP_START_URL=https://ginandjuice.shop -e \ BURP_REPORT_FILE_PATH=/dastardly/dastardly-report.xml \ public.ecr.aws/portswigger/dastardly:latest

Note

You can set BURP_START_URL to a seed URL for any application you want to scan.

In this example, BURP_START_URL is set to https://ginandjuice.shop/ - this is a deliberately vulnerable web application designed for testing web vulnerability scanners.

The next time your pipeline runs, Dastardly will scan the application you have set under BURP_START_URL.

Note

You need to set BURP_REPORT_FILE_PATH to a location mapped to a directory on your machine - as in the example above.

The example above uses $(pwd) to map the /dastardly volume to your present working directory.

The Dastardly output file is a JUnit XML report that can be parsed by any JUnit XML parser.

If you run the command above multiple times, you will overwrite the JUnit report written by Dastardly.

Dastardly scan results

Dastardly scan results are available as a JUnit XML file when a scan is complete. Scans run for a maximum of ten minutes.

Remediation advice

Dastardly scan results include remediation advice for any security issues they find. This advice includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.

Evidence

Dastardly scan results include evidence for any security issues found. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.

Was this article helpful?