sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Files
0428cba2b890ad5386cf125d9112232eb83e97bf
compliance-scanner-agent/docs/features/dast.md
Sharang Parnerkar c253e4ef5e
Some checks failed
CI / Clippy (push) Failing after 2m49s
Details
CI / Security Audit (push) Has been skipped
Details
CI / Tests (push) Has been skipped
Details
CI / Detect Changes (push) Has been skipped
Details
CI / Format (pull_request) Successful in 3s
Details
CI / Clippy (pull_request) Failing after 2m52s
Details
CI / Security Audit (pull_request) Has been skipped
Details
CI / Tests (pull_request) Has been skipped
Details
CI / Format (push) Successful in 3s
Details
CI / Deploy Agent (push) Has been skipped
Details
CI / Deploy Dashboard (push) Has been skipped
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy MCP (push) Has been skipped
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details
docs: rewrite user docs, fix modal scroll, webhook URL, and sccache 
Rewrite all public documentation to be user-facing only:
- Remove deployment, configuration, and self-hosting sections
- Add guide pages for SBOM, issues, webhooks & PR reviews
- Add reference pages for glossary and tools/scanners
- Add 12 screenshots from live dashboard
- Explain MCP, LLM triage, false positives, human-in-the-loop

Fix edit repository modal not scrollable (max-height + overflow-y).
Show full webhook URL using window.location.origin instead of path.
Unset RUSTC_WRAPPER in agent cargo commands to avoid sccache errors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-11 14:17:46 +01:00

82 lines
3.0 KiB
Markdown
Raw Blame History

# DAST Scanning
DAST (Dynamic Application Security Testing) performs black-box security testing against live web applications and APIs. Unlike SAST which analyzes source code, DAST tests running applications by sending crafted requests and analyzing responses for vulnerabilities.
## DAST Overview
Navigate to **DAST** in the sidebar to see the overview page.
![DAST overview with scan runs and finding counts](/screenshots/dast-overview.png)
The overview shows:
- Total DAST scans performed
- Total DAST findings discovered
- Number of active targets
- Recent scan run history with status, phase, and finding counts
## Managing Targets
Navigate to **DAST > Targets** to configure applications to test.
### Adding a Target
1. Enter a **target name** (descriptive label)
2. Enter the **base URL** (e.g. `https://staging.example.com`)
3. Click **Add Target**
### Target Settings
Each target supports these settings:
| Setting | Description |
|---------|-------------|
| **Target Type** | WebApp, REST API, or GraphQL |
| **Max Crawl Depth** | How many link levels to follow |
| **Rate Limit** | Maximum requests per second |
| **Destructive Tests** | Allow DELETE/PUT requests |
| **Excluded Paths** | URL paths to skip during testing |
### Authentication
DAST supports authenticated scanning so it can test pages behind login:
| Method | Description |
|--------|------------|
| **None** | No authentication |
| **Basic** | HTTP Basic Auth with username and password |
| **Bearer** | Bearer token in the Authorization header |
| **Cookie** | Session cookie value |
| **Form** | Login form with URL, field names, and credentials |
::: warning
Authenticated scans access more of the application surface. Only test applications you own or have explicit authorization to test.
:::
## Running a DAST Scan
Click the **Scan** button on any target row. The scan progresses through:
1. **Crawl** -- discovers pages, forms, and API endpoints by following links and analyzing JavaScript
2. **Test** -- sends attack payloads to discovered parameters
3. **Report** -- collects results and generates findings
## Viewing DAST Findings
Navigate to **DAST > Findings** to see all discovered vulnerabilities. Each finding shows:
| Column | Description |
|--------|-------------|
| Severity | Critical, High, Medium, or Low |
| Type | Vulnerability category (SQL Injection, XSS, SSRF, etc.) |
| Title | Description of the vulnerability |
| Endpoint | The HTTP path that is vulnerable |
| Method | HTTP method (GET, POST, PUT, DELETE) |
| Exploitable | Whether the vulnerability was confirmed exploitable |
Click a finding to see full details including the CWE identifier, vulnerable parameter, remediation guidance, and evidence showing the exact request/response pairs that triggered the finding.
::: tip
Findings marked as **Confirmed** exploitable were verified with a successful attack payload. **Unconfirmed** findings show suspicious behavior that may indicate a vulnerability but could not be fully exploited.
:::
Reference in New Issue View Git Blame Copy Permalink