DevSecOps - DAST scanning in Azure DevOps

Posted by Nikos Tsirmirakis on 2022-11-28

One of the elements of DevSecOps pipeline is DAST (Dynamic Application Security Testing) scanning. In this post, we will scan a web application with Dastardly recently released by PortSwigger (producer of Burp Suite Enterprise Edition and Burp Suite Professional) as part of the Azure DevOps pipeline.

To find out more about the Dastardly tool, please visit the documentation page.

Dastardly is coming as a docker image which is very handy for a modular approach and can be run as a simple pipeline task. The entire pipeline is available in DBAinTheCloud GitHub repository. For demo purposes, we will scan a sample vulnerable page, the url is parametrised in the pipeline so you can start scanning your web application straight away.

    - task: CmdLine@2
        displayName: Run DAST scan with dastardly
        script: |
            docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \
            DASTARDLY_TARGET_URL=$(url_to_scan) -e \
            DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml \
        failOnStderr: false
        workingDirectory: '$(Build.SourcesDirectory)'

After the scan results are ready we will publish them to Azure DevOps.

    - task: PublishTestResults@2
      displayName: Publish Test Results
        testResultsFormat: 'JUnit'
        testResultsFiles: '**/dastardly-report.xml' 


After a successful scan, we can review the results in Azure DevOps and fix security vulnerabilities.


Dastardly is a free tool, very easy to implement however it is coming with some limitations. It is not supporting authentication scans and is limited to 10 min per scan. If you need those features you will have to look for a more advanced solution.

If you need help with implementing a DevSecOps program and adding a security twist to your DevOps CI/CD pipelines get in touch.