Dastardly

Integrating Dastardly with TeamCity

  • Last updated: January 29, 2024

  • Read time: 3 Minutes

You can integrate Dastardly with TeamCity. This enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.

This page contains instructions on how to integrate Dastardly with a simple (example) TeamCity CI/CD pipeline. These instructions have been tested with TeamCity 2022.04.4.

TeamCity agent requirements

Your TeamCity agent must have Docker configured to run containers.

No plugins beyond the TeamCity defaults are required to run Dastardly in a TeamCity CI/CD pipeline.

For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.

Creating the settings file

  1. Configure access from TeamCity to the repository where your settings.kts file is stored.

  2. Add the following content to your settings.kts file:

    import jetbrains.buildServer.configs.kotlin.* import jetbrains.buildServer.configs.kotlin.buildSteps.ScriptBuildStep import jetbrains.buildServer.configs.kotlin.buildSteps.script version = "2022.04" project { description = "Contains all other projects" buildType(DastardlyScan) } object DastardlyScan : BuildType({ name = "Dastardly from Burp Suite Scan" vcs { cleanCheckout = true } features { feature { type = "xml-report-plugin" param("xmlReportParsing.reportType", "junit") param("xmlReportParsing.reportDirs", "+:**/reports/**.xml") } } steps { script { name = "Dastardly from Burp Suite Scan" dockerImage = "public.ecr.aws/portswigger/dastardly:latest" dockerPull = true dockerImagePlatform = ScriptBuildStep.ImagePlatform.Linux dockerRunParameters = """ -e BURP_START_URL=https://ginandjuice.shop/ -e BURP_REPORT_FILE_PATH=%teamcity.build.checkoutDir%/reports/dastardly-report.xml """.trimIndent() scriptContent = """ mkdir -p %system.teamcity.build.workingDir%/reports docker-entrypoint.sh dastardly """.trimIndent() } } artifactRules = """ reports/** => reports """.trimIndent() })

Note

You can set BURP_START_URL to a seed URL for any application you want to scan.

In this example, BURP_START_URL is set to https://ginandjuice.shop/ - this is a deliberately vulnerable web application designed for testing web vulnerability scanners.

The next time your pipeline runs, Dastardly will scan the application you have set under BURP_START_URL.

Configuring the TeamCity pipeline

  1. From the main TeamCity interface, click New project... and choose an appropriate place in your project hierarchy.

  2. Ensure that Manually is selected.

  3. Give your project a Name. You can also add a Description.

  4. Click Create.

    Creating a new TeamCity project.
  5. Click Versioned Settings.

  6. Select Synchronization enabled.

  7. Under Project settings VCS Root, click Create VCS root or use an existing option from the Project Settings VCS root drop down.

  8. Ensure Settings format is set to Kotlin.

  9. Click Apply.

  10. From the Existing Project Settings Detected pop-up, click Import settings from VCS.

    Importing settings from VCS in TeamCity.

Viewing Dastardly scan results in TeamCity

  1. Run your TeamCity project containing Dastardly, and allow the scan to complete. Scans run for a maximum of ten minutes.

  2. From the main TeamCity interface, click on your project containing Dastardly.

  3. Under Dastardly from Burp Suite Scan, click on the build containing your scan.

  4. Click Tests. Here you can see any failed tests. See more details of a failed test by clicking on it.

Remediation advice

You can see remediation advice for security issues that Dastardly finds under Stacktrace. This includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.

Dastardly security issue remediation advice, shown in TeamCity.
Remediation advice for a security issue found by Dastardly.

Evidence

You can see evidence for security issues that Dastardly finds under Stacktrace. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.

Dastardly security issue evidence, shown in TeamCity.
Evidence for a security issue found by Dastardly.

Was this article helpful?