DevSecOps - DAST scanning in Azure DevOps

One of the elements of DevSecOps pipeline is DAST (Dynamic Application Security Testing) scanning. In this post, we will scan a web application with Dastardly recently released by PortSwigger (producer of Burp Suite Enterprise Edition and Burp Suite Professional) as part of the Azure DevOps pipeline.
To find out more about the Dastardly tool, please visit the documentation page.
Dastardly is coming as a docker image which is very handy for a modular approach and can be run as a simple pipeline task. The entire pipeline is available in DBAinTheCloud GitHub repository. For demo purposes, we will scan a sample vulnerable page https://ginandjuice.shop
, the url is parametrised in the pipeline so you can start scanning your web application straight away.
- task: CmdLine@2
displayName: Run DAST scan with dastardly
inputs:
script: |
docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \
DASTARDLY_TARGET_URL=$(url_to_scan) -e \
DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest
true
failOnStderr: false
workingDirectory: '$(Build.SourcesDirectory)'
After the scan results are ready we will publish them to Azure DevOps.
- task: PublishTestResults@2
displayName: Publish Test Results
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: '**/dastardly-report.xml'
Congratulation!
After a successful scan, we can review the results in Azure DevOps and fix security vulnerabilities.

Limitations
Dastardly is a free tool, very easy to implement however it is coming with some limitations. It is not supporting authentication scans and is limited to 10 min per scan. If you need those features you will have to look for a more advanced solution.
If you need help with implementing a DevSecOps program and adding a security twist to your DevOps CI/CD pipelines get in touch.