Installing the DAST CLI in a Pipeline

You can integrate DAST with your favorite CI/CD pipelines. This section explains how the DAST CLI can be installed in a pipeline.

To run a DAST Scan, you need an outbound connection to Checkmarx One so we can upload the results. To do so, we must ensure we can connect to the following IP (for BETA version-> Canary). For more information, please review the Checkmarx One External IPs page.

3.126.230.210

3.74.225.192

3.120.214.171

When running the DAST CLI, you have the following available commands/flags available:

Usage:

Glossary

Executes a DAST api scan

Usage: dast api [flags]

Flags:

-h, --help help for api

--openapi string path to the openapi file

--postman string path to the postman file

Executes a DAST web scan

Usage: dast web [flags]

Flags: -h, --help help for web

Generate a DAST configuration file

Usage: dast generate [command]

Available Commands:

form-auth

json-auth

no-auth

Flags:

-h, --help help for generate

Global Flags:

Glossary

--base-url <string>: CxOne Servers base URL.
--config <string>: Path to the config file.
--environment-id <string>: The ID of the environment previously created in the CxOne Frontend.
--fail-on <string>: Lowest severity in the results to fail the execution of the DAST-CLI (all, low, info, medium, high, Critical).
-h, --help: Help for DAST.
--jvm-properties <string> (Default - "-Xmx3G"): Path to the jvm properties file.
--log-level <string> (Default - "info"): Log level.
--output <string>: Path to the output directory.
--proxy-port <string>: Override the host port used for proxying.
--proxy-url <string>: Override the host used for proxying.
--retry-delay <int> (Default - 20): Time between retries in seconds, use with --retry.
--retry <int> (Default - 3): Retry requests to AST on connection failure.
--timeout <int> (Default - 10000): DAST scan timeout in seconds.
--update-interval <int> (Default - 30): Update interval in seconds.
--verbose: Print logs to stdout.

The following CI/CD pipelines integrate with DAST:

Integrate DAST into Azure Pipelines CI/CD to run DAST scans in Azure DevOps repositories.

#

# Example for a DAST web scan using PowerShell;

#

 

trigger: none

 

# API key variables are stored in a Library

variables:

- group: "CxOne DAST Variables"

 

pool:

  vmImage: "ubuntu-latest"

 

jobs:

- job: build

  displayName: 'Initiate DAST scan'

 

  steps:

  # Use PowerShell to do the heavy lifting

  - powershell: |
     sudo chmod a+rw -R ./
     docker pull checkmarx/dast:latest

     docker run -e CX_APIKEY=$(CANARY_API_KEY) -v "/home/vsts/work/1/s:/dast_home" checkmarx/dast:latest web --environment-id="99f10aac-6a73-49a3-81b1-0adae9a158fc" --config="/dast_home/DAST-AZURE/dast-config/zap_config.yaml" --base-url=https://deu.ast.checkmarx.net/ --output=/dast_home/DAST-AZURE/test_output --timeout=10000 --update-interval=10 --jvm-properties=-Xmx3G --log-level=info --verbose --retry=3 --retry-delay=20

     sudo chown -R vsts:docker test_output

    displayName: 'Run CxOne DAST via PowerShell'

 

  # Publish the contents of the output directory as artifacts

  - task: PublishPipelineArtifact@1

    displayName: 'Publish CxOne DAST Artifacts'

    inputs:

      targetPath:  '$(Build.SourcesDirectory)/DAST-AZURE/test_output'

      artifact: 'CxOne DAST Artifacts'

You can integrate DAST into Bitbucket Pipelines CI/CD, and run DAST scans in your Bitbucket repositories to streamline risks. The following is an example DAST web scan configuration:

pipelines:
  default:
    - step:
        name: "Run Cx-DAST-CLI scan"
        script:
          - docker run -e CX_APIKEY=**** checkmarx/dast:latest web --base-url=%CxOne-address% --environment-id=**** --config=${PWD}/zap_config.yaml --output=/tmp --jvm-properties=-Xmx3G --verbose
        services:
          - docker

Note

Click here for a full list of DAST docker tags: Docker Tags.

To run Checkmarx DAST as a Docker image:

Download the Docker image. In your terminal, enter the command docker pull checkmarx/dast:latest to use the last updated version. If you want to download a specific version, you can replace it with the version you want to download; for example, docker pull checkmarx/dast:1.0.1.
Open the terminal and access the folder where the configuration and Swagger files (for an API scan) are located.

Run the following command to start the DAST scan from the docker image:

API Scan Example

docker run -e CX_APIKEY=$API_MASTER_KEY \  
-v $(pwd):/demo checkmarx/dast:latest \  
api \  
--environment-id=889259e2-c24b-4dc7-99f5-67009c43e73c \  
--config=/demo/zap_config_api.yaml \  
--base-url=https://urlCxOne.com/ \  
--output=/demo/test_output \  
--timeout=10000 \  
--update-interval=10 \  
--jvm-properties=-Xmx3G \  
--log-level=info \  
--verbose \  
--retry=3 \  
--retry-delay=20 \  
--fail-on HIGH \  
--openapi /demo/openapi.yaml

Web Scan Example

docker run -e CX_APIKEY=$API_MASTER_KEY \  
-v $(pwd):/demo checkmarx/dast:latest \  
web \  
--environment-id=889259e2-c24b-4dc7-99f5-67009c43e73c \  
--config=/demo/zap_config_web.yaml \  
--base-url=https://urlCxOne.com/ \  
--output=/demo/test_output \  
--timeout=10000 \  
--update-interval=10 \  
--jvm-properties=-Xmx3G \  
--log-level=info \  
--verbose \  
--retry=3 \  
--retry-delay=20 \  
--fail-on HIGH

Replace the following variables:
- environment-id → replace the ID with the corresponding ID on Checkmarx One. You can copy it from the UI.
- config → replace by the corresponding location of the configuration file.
- base-url → Specify the URL of your Checkmarx One tenant.
- output → specify the location for the output folder.
- openapi (only mandatory for API scans)→ specify the location of the Swagger file.

You can integrate DAST into your GitHub Actions CI/CD pipelines with a specific DAST GitHub Action and run DAST scans in your GItHub repositories.

Default Report Usage Example

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v2
    # Scan with DAST
    - name: run dast web
      uses: checkmarx/dast-action@latest
      with:
        config: 'zapconfig.yaml'
        verbose: true

Workflow Failures: By default, DAST will fail your workflow on any results found. If you want your pipeline just to fail on HIGH severity results and DAST engine execution errors:

   # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v2
    # Scan with DAST
    - name: run dast web
      uses: checkmarx/dast-action@latest
      with:
        config: 'zapconfig.yaml'
        verbose: true
        environment_id: <ENVIRONMENT_ID>
        fail_on: 'HIGH'

You can integrate DAST into your GitHub Actions CI/CD pipelines with a specific DAST GitHub Action and run DAST scans in your GitHub repositories. DAST CLI Authentication is made through Checkmarx One API Key. To generate an API key, follow these steps:

Go to Identity and Access Management
Go to API Keys
Create a new API key.
Copy the generated key.
Create a GitHub action runner secret from the generated key.

Set the environment variable CX_APIKEY to the newly created secret.

steps:
    - name: Run DAST Scan
      uses: checkmarx/dast-github-action@v1.0
      env:
        CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}

Variable	Example Value	Description	Required
command	web	The type of scan to preform (web, api)	true
config	./zap_config.yaml	The path to the ZAP configuration file	true
base_url	localhost.cxast.net	The baseURL for the Checkmarx One application	true
environment_id	c608a51a-ec4e-4eef-81c4-a0241737efd7	The environment ID retrieved from DAST in Checkmarx One	true
openapi	./swagger.yaml	The path to the openapi specification file	true (only for api scan)
project_id	fd093dde-b64a-466f-b2cd-8bf141b4db94	The project ID retrieved from project tab in Checkmarx One	false (only for api scan)
output	./output	The path to generate the output files (zap log and original results)	false
timeout	10000	The zap engine timeout in seconds (default: 300)	false
update_interval	10	The interval in which to log the progress of the scan in seconds (default: 10)	false
jvm_properties	-Xmx512m	The jvm properties used in the ZAP engine (default: -Xmx3G)	false
log_level	info	The level on what DAST will log (default: info)	false
verbose	true	Set to true to print the logs to the stdout (default: false)	false
fail_on	high	The minimum severity in which the action should fail	false
retry	3	Retry requests to AST on connection failure (default: 3)	false
retry_delay	20	Time between retries in seconds, use with retry (default: 20)	false

Web Scan

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3
    # Scan Iac with DAST
    - name: Checkmarx DAST Github Action
      uses: Checkmarx/dast-github-action@v1.0.0-beta
      env:
        CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}
      with:
        command: "web"
        config: 'zap_config.yaml'
        base_url: "localhost.cxast.net"
        environment_id: "c608a51a-ec4e-4eef-81c4-a0241737efd7"
        fail_on: "HIGH"
        verbose: true
    - uses: actions/upload-artifact@v3
      name: Upload Logs
      with:
        name: report
        path: ./output

API Scan

 # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
    # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
    - uses: actions/checkout@v3
    # Scan Iac with DAST
    - name: Checkmarx DAST Github Action
      uses: Checkmarx/dast-github-action@v1.0.0-beta
      env:
        CX_APIKEY: ${{ secrets.CX_ONE_API_KEY }}
      with:
        command: "api"
        config: 'zap_api_config.yaml'
        base_url: "localhost.cxast.net"
        environment_id: "c608a51a-ec4e-4eef-81c4-a0241737efd7"
        openapi: "swagger.yaml"
        project_id: "fd093dde-b64a-466f-b2cd-8bf141b4db94"
        fail_on: "HIGH"
        verbose: true
    - uses: actions/upload-artifact@v3
      name: Upload Logs
      with:
        name: report
        path: ./output

You can integrate DAST into your GitLab CI/CD pipelines and run DAST scans in your GitLab repositories.

image:
    name: checkmarx/dast:1.0.1
    entrypoint: [""]
 
stages:
    - CxOneDast
 
dast-scan:
  stage: CxOneDast
  image: docker:latest
  services:
    - docker:dind
  script:
       - docker run -e CX_APIKEY=$SECRETKEY -v $CI_PROJECT_DIR:/demo checkmarx/dast:1.0.1 web  --environment-id=7d5b6942-192c-4d04-a9d2-47f5acdd24bf --config=/demo/zap_config.yaml --base-url=https://deu.ast.checkmarx.net   --output=/demo/output.log --timeout=10000 --update-interval=10 --jvm-properties=-Xmx3G --log-level=info --verbose --retry=3 --retry-delay=20  --fail-on HIGH

You can integrate DAST into your Jenkins CI/CD pipelines and run DAST scans as a stage in your pipeline.

Plugins required:

#!groovy

def ret

pipeline {

    agent {

        node {

            label 'Dynamic-AST-Deployment-New'

        }

    }

    options {

        timestamps() 

        timeout(time: 2, unit: 'HOURS')

    }

    stages {

        stage("Docker Pull"){

            script{

                sh " docker pull checkmarx/dast:latest”

            }

 

        }

        stage("Run DAST"){

            script{

                git credentialsId: 'github_creds', url: 'https://github.com/CheckmarxDev/dast-demo-env'

                ret = sh(

                    script:

                    """ 

                    docker run -v \$(pwd)/dast-config:/tmp/config -v \$(pwd)/output:/output -e CX_APIKEY=$API_KEY --user 0 checkmarx/dast:latest \

                    web --base-url=https://deu.ast.checkmarx.net/ --timeout=10000 --log-level=info --verbose \

                    --config=/tmp/config/zap_config.yaml --environment-id=49e32846-7455-407c-aed6-be17dfe1632e \

                    --fail-on high --output /output 

                    """

                , returnStatus: true)

                if(ret != 0){ 

                    currentBuild.result = 'FAILED' 

                    return 

                }

            }

        }

    }

    post {

        always{

            archiveArtifacts artifacts: 'output'

        }

    }

}

You can easily integrate DAST into TeamCity pipelines by Kotlin DSL and DAST docker image to run DAST scans as a stage of your pipeline. Ensure that the TeamCity agent has Docker configured to run containers. Check out Getting Started with Kotlin DSL and modify your .teamcity/settings.kts as the example

import jetbrains.buildServer.configs.kotlin.v2019_2.*
import jetbrains.buildServer.configs.kotlin.v2019_2.buildSteps.script
version = "2021.1"

project {
    description = "DAST TeamCity integration test"
    buildType(Build)
}

object Build: BuildType({
    name = "DAST TeamCity integration test"
    vcs {
        root(DslContext.settingsRoot)
    }

    steps {
        script {
            scriptContent = """
                #!/bin/bash
                docker run -v ${'$'}PWD:/path checkmarx/dast:latest web --config /path/zap_config.yaml --verbose --environment-id  <ENVIRONMENT_ID>
            """.trimIndent()
        }
    }
})

With versioned settings enabled, you can see the build progress, logs, and success status after pushing the changes to the repository.

In this section:

Installing the DAST CLI in a Pipeline

Glossary

Glossary

Note

Search results