Installing the DAST CLI in a Pipeline
You can integrate DAST with your favorite CI/CD pipelines. This section explains how the DAST CLI can be installed in a pipeline.
To run a DAST Scan, you need an outbound connection to Checkmarx One so we can upload the results. To do so, we must ensure we can connect to the following IP (for BETA version-> Canary). For more information, see Whitelisting IPs for Checkmarx One's outgoing traffic.
3.126.230.210
3.74.225.192
3.120.214.171
When running the DAST CLI, you have the following available commands/flags available:
Usage:
Glossary
- Executes a DAST api scan
Usage: dast api [flags]
Flags:
-h, --help help for api
--openapi string path to the openapi file
--postman string path to the postman file
- Executes a DAST web scan
Usage: dast web [flags]
Flags: -h, --help help for web
- Generate a DAST configuration file
Usage: dast generate [command]
Available Commands:
form-auth
json-auth
no-auth
Flags:
-h, --help help for generate
Global Flags:
Glossary
- --base-url <string>
CxOne Servers base URL.
- --config <string>
Path to the config file.
- --environment-id <string>
The ID of the environment previously created in the CxOne Frontend.
- --fail-on <string>
Lowest severity in the results to fail the execution of the DAST-CLI (all, low, info, medium, high, Critical).
- -h, --help
Help for DAST.
- --jvm-properties <string> (Default - "-Xmx3G")
Path to the jvm properties file.
- --log-level <string> (Default - "info")
Log level.
- --output <string>
Path to the output directory.
- --proxy-port <string>
Override the host port used for proxying.
- --proxy-url <string>
Override the host used for proxying.
- --retry-delay <int> (Default - 20)
Time between retries in seconds, use with
--retry.- --retry <int> (Default - 3)
Retry requests to AST on connection failure.
- --timeout <int> (Default - 10000)
DAST scan timeout in seconds.
- --update-interval <int> (Default - 30)
Update interval in seconds.
- --verbose
Print logs to stdout.
The following CI/CD pipelines integrate with DAST:
Note
Click here for a full list of DAST docker tags: Docker Tags.
To run Checkmarx DAST as a Docker image:
Download the Docker image. In your terminal, enter the command docker pull checkmarx/dast:latest to use the last updated version. If you want to download a specific version, you can replace it with the version you want to download; for example, docker pull checkmarx/dast:1.0.1.
Open the terminal and access the folder where the configuration and Swagger files (for an API scan) are located.
Run the following command to start the DAST scan from the docker image:
API Scan Example
docker run -e CX_APIKEY=$API_MASTER_KEY \ -v $(pwd):/demo checkmarx/dast:latest \ api \ --environment-id=889259e2-c24b-4dc7-99f5-67009c43e73c \ --config=/demo/zap_config_api.yaml \ --base-url=https://urlCxOne.com/ \ --output=/demo/test_output \ --timeout=10000 \ --update-interval=10 \ --jvm-properties=-Xmx3G \ --log-level=info \ --verbose \ --retry=3 \ --retry-delay=20 \ --fail-on HIGH \ --openapi /demo/openapi.yaml
Web Scan Example
docker run -e CX_APIKEY=$API_MASTER_KEY \ -v $(pwd):/demo checkmarx/dast:latest \ web \ --environment-id=889259e2-c24b-4dc7-99f5-67009c43e73c \ --config=/demo/zap_config_web.yaml \ --base-url=https://urlCxOne.com/ \ --output=/demo/test_output \ --timeout=10000 \ --update-interval=10 \ --jvm-properties=-Xmx3G \ --log-level=info \ --verbose \ --retry=3 \ --retry-delay=20 \ --fail-on HIGH
Replace the following variables:
environment-id→ replace the ID with the corresponding ID on Checkmarx One. You can copy it from the UI.
config→ replace by the corresponding location of the configuration file.base-url→ Specify the URL of your Checkmarx One tenant.output→ specify the location for the output folder.openapi(only mandatory for API scans)→ specify the location of the Swagger file.