Specific instructions are available for integrating Dastardly with the following CI/CD platforms:
You can integrate Dastardly with any CI/CD platform. Integration enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.
For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.
To integrate Dastardly with your CI/CD pipeline, include the following docker run command in your pipeline script:
docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \
BURP_START_URL=https://ginandjuice.shop -e \
BURP_REPORT_FILE_PATH=/dastardly/dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest
You can set BURP_START_URL to a seed URL for any application you want to scan.
In this example, BURP_START_URL is set to https://ginandjuice.shop/ - this is a deliberately vulnerable web application designed for testing web vulnerability scanners.
The next time your pipeline runs, Dastardly will scan the application you have set under BURP_START_URL.
You need to set BURP_REPORT_FILE_PATH to a location mapped to a directory on your machine - as in the example above.
The example above uses $(pwd) to map the /dastardly volume to your present working directory.
The Dastardly output file is a JUnit XML report that can be parsed by any JUnit XML parser.
If you run the command above multiple times, you will overwrite the JUnit report written by Dastardly.
Dastardly scan results are available as a JUnit XML file when a scan is complete. Scans run for a maximum of ten minutes.
Dastardly scan results include remediation advice for any security issues they find. This advice includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.
Dastardly scan results include evidence for any security issues found. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.