doc/user/application_security/dast/browser/configuration/variables.md
These CI/CD variables are specific to the browser-based DAST analyzer. They can be used to customize the behavior of DAST to your requirements.
These variables control how the scan is conducted and where its results are stored.
| CI/CD variable | Type | Example | Description |
|---|---|---|---|
DAST_CHECKS_TO_EXCLUDE | string | 552.2,78.1 | Comma-separated list of check identifiers to exclude from the scan. For identifiers, see vulnerability checks. |
DAST_CHECKS_TO_RUN | List of strings | 16.1,16.2,16.3 | Comma-separated list of check identifiers to use for the scan. For identifiers, see vulnerability checks. |
DAST_CRAWL_GRAPH | boolean | true | Set to true to generate an SVG graph of navigation paths visited during crawl phase of the scan. You must also define gl-dast-crawl-graph.svg as a CI job artifact to be able to access the generated graph. Defaults to false. |
DAST_FULL_SCAN | boolean | true | Set to true to run both passive and active checks. Default is false. |
DAST_LOG_BROWSER_OUTPUT | boolean | true | Set to true to log Chromium STDOUT and STDERR. |
DAST_LOG_CONFIG | List of strings | brows:debug,auth:debug | (Deprecated) A list of modules and their intended logging level for use in the console log. |
DAST_LOG_DEVTOOLS_CONFIG | string | Default:messageAndBody,truncate:2000 | Set to log protocol messages between DAST and the Chromium browser. |
DAST_LOG_FILE_CONFIG | List of strings | brows:debug,auth:debug | A list of modules and their intended logging level for use in the file log. |
DAST_LOG_FILE_PATH | string | /output/browserker.log | Set to the path of the file log. Default is gl-dast-scan.log. |
SECURE_ANALYZERS_PREFIX | URL | registry.organization.com | Set the Docker registry base address from which to download the analyzer. |
SECURE_LOG_LEVEL | string | debug | Set the default level for the file log. See SECURE_LOG_LEVEL. |
These variables tell the scanner where to look for certain elements, which actions to take, and how long to wait for operations to complete.
| CI/CD variable | Type | Example | Description |
|---|---|---|---|
DAST_ACTIVE_SCAN_TIMEOUT | Duration string | 3h | The maximum amount of time to wait for the active scan phase of the scan to complete. Defaults to 3h. |
DAST_ACTIVE_SCAN_WORKER_COUNT | number | 3 | The number of active checks to run in parallel. Defaults to 3. |
DAST_CRAWL_MAX_ACTIONS | number | 10000 | The maximum number of actions that the crawler performs. Example actions include selecting a link, or filling out a form. Defaults to 10000. |
DAST_CRAWL_MAX_DEPTH | number | 10 | The maximum number of chained actions that the crawler takes. For example, Click, Form Fill, Click is a depth of three. Defaults to 10. |
DAST_CRAWL_TIMEOUT | Duration string | 5m | The maximum amount of time to wait for the crawl phase of the scan to complete. Defaults to 24h. |
DAST_CRAWL_WORKER_COUNT | number | 3 | The maximum number of concurrent browser instances to use. For instance runners on GitLab.com, we recommended a maximum of three. Private runners with more resources may benefit from a higher number, but are likely to produce little benefit after five to seven instances. The default value is dynamic, equal to the number of usable logical CPUs. |
DAST_PAGE_DOM_READY_TIMEOUT | Duration string | 7s | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis after a navigation completes. Defaults to 6s. |
DAST_PAGE_DOM_STABLE_WAIT | Duration string | 200ms | Define how long to wait for updates to the DOM before checking a page is stable. Defaults to 500ms. |
DAST_PAGE_ELEMENT_READY_TIMEOUT | Duration string | 600ms | The maximum amount of time to wait for an element before determining it is ready for analysis. Defaults to 300ms. |
DAST_PAGE_IS_LOADING_ELEMENT | selector | css:#page-is-loading | Selector that, when no longer visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_READY_ELEMENT. |
DAST_PAGE_IS_READY_ELEMENT | selector | css:#page-is-ready | Selector that when detected as visible on the page, indicates to the analyzer that the page has finished loading and the scan can continue. Cannot be used with DAST_PAGE_IS_LOADING_ELEMENT. |
DAST_PAGE_MAX_RESPONSE_SIZE_MB | number | 15 | The maximum size of a HTTP response body. Responses with bodies larger than this are blocked by the browser. Defaults to 10 MB. |
DAST_PAGE_READY_AFTER_ACTION_TIMEOUT | Duration string | 7s | The maximum amount of time to wait for a browser to consider a page loaded and ready for analysis. Defaults to 7s. |
DAST_PAGE_READY_AFTER_NAVIGATION_TIMEOUT | Duration string | 15s | The maximum amount of time to wait for a browser to navigate from one page to another. Defaults to 15s. |
DAST_PASSIVE_SCAN_WORKER_COUNT | int | 5 | Number of workers that passive scan in parallel. Defaults to the number of available CPUs. |
DAST_PKCS12_CERTIFICATE_BASE64 | string | ZGZkZ2p5NGd... | The PKCS12 certificate used for sites that require Mutual TLS. Must be encoded as base64 text. |
DAST_PKCS12_PASSWORD | string | password | The password of the certificate used in DAST_PKCS12_CERTIFICATE_BASE64. Create sensitive custom CI/CI variables using the GitLab UI. |
DAST_REQUEST_ADVERTISE_SCAN | boolean | true | Set to true to add a Via: GitLab DAST <version> header to every request sent, advertising that the request was sent as part of a GitLab DAST scan. Default: false. |
DAST_REQUEST_COOKIES | dictionary | abtesting_group:3,region:locked | A cookie name and value to be added to every request. |
DAST_REQUEST_HEADERS | String | Cache-control:no-cache | Set to a comma-separated list of request header names and values. The following headers are not supported: content-length, cookie2, keep-alive, hosts, trailer, transfer-encoding, and all headers with a proxy- prefix. |
DAST_REQUEST_USER_AGENT | String | Set to change the user-agent string sent by the browser. The default user-agent is Google Chrome on Linux. | |
DAST_SCOPE_ALLOW_HOSTS | List of strings | site.com,another.com | Hostnames included in this variable are considered in scope when crawled. By default the DAST_TARGET_URL hostname is included in the allowed hosts list. Headers set using DAST_REQUEST_HEADERS are added to every request made to these hostnames. |
DAST_SCOPE_EXCLUDE_ELEMENTS | selector | a[href='2.html'],css:.no-follow | Comma-separated list of selectors that are ignored when scanning. |
DAST_SCOPE_EXCLUDE_HOSTS | List of strings | site.com,another.com | Hostnames included in this variable are considered excluded and connections are forcibly dropped. |
DAST_SCOPE_IGNORE_HOSTS | List of strings | site.com,another.com | Hostnames included in this variable are accessed, not attacked, and not reported against. |
DAST_TARGET_CHECK_SKIP | boolean | true | Set to true to prevent DAST from checking that the target is available before scanning. Default: false. |
DAST_TARGET_CHECK_TIMEOUT | number | 60 | Time limit in seconds to wait for target availability. Default: 60s. |
DAST_TARGET_PATHS_FILE | string | /builds/project/urls.txt | Scan only these paths instead of crawling the whole site. Set to a file path containing a list of URL paths relative to DAST_TARGET_URL. The file must be plain text with one path per line. When this is set, DAST_CRAWL_MAX_DEPTH defaults to 1. To prevent this, set DAST_OVERRIDE_MAX_DEPTH: false. |
DAST_TARGET_PATHS | string | /page1.html,/category1/page3.html | Scan only these paths instead of crawling the whole site. Set to a comma-separated list of URL paths relative to DAST_TARGET_URL. When this is set, DAST_CRAWL_MAX_DEPTH defaults to 1. To prevent this, set DAST_OVERRIDE_MAX_DEPTH: false. |
DAST_TARGET_URL | URL | https://site.com | The URL of the website to scan. |
DAST_USE_CACHE | boolean | true | Set to false to disable caching. Default: true. Note: Disabling cache can cause OOM events or DAST job timeouts. |
DAST_CRAWL_GROUPED_URLS | string | https://example.com/hello/*,https://example.com/world/*/details | (Experimental) Set to a comma-separated list of wildcard URL patterns with at least one *. To reduce scan time, the scanner groups and analyzes only one matched URL per pattern. |
These variables tell the scanner how to authenticate with your application.
| CI/CD variable | Type | Example | Description |
|---|---|---|---|
DAST_AUTH_AFTER_LOGIN_ACTIONS | string | select(option=id:accept-yes),click(on=css:.continue) | A comma-separated list of actions to take after login but before login verification. Supports click and select actions. See Taking additional actions after submitting the login form. |
DAST_AUTH_BEFORE_LOGIN_ACTIONS | selector | css:.user,id:show-login-form | A comma-separated list of selectors representing elements to click on prior to entering the DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD into the login form. |
DAST_AUTH_CLEAR_INPUT_FIELDS | boolean | true | Disables clearing of username and password fields before attempting manual login. Set to false by default. |
DAST_AUTH_COOKIE_NAMES | string | sessionID,groupName | Set to a comma-separated list of cookie names to specify which cookies are used for authentication. |
DAST_AUTH_FIRST_SUBMIT_FIELD | selector | css:input[type=submit] | A selector describing the element that is clicked on to submit the username form of a multi-page login process. |
DAST_AUTH_NEGOTIATE_DELEGATION | string | *.example.com,example.com,*.EXAMPLE.COM,EXAMPLE.COM | Which servers should be allowed for integrated authentication and delegation. This property sets two Chromium policies: AuthServerAllowlist and AuthNegotiateDelegateAllowlist. Introduced in GitLab 17.6. |
DAST_AUTH_OTP_FIELD | selector | name:otp | A selector describing the element used to enter the one-time password on the login form. |
DAST_AUTH_OTP_KEY | String | I5UXITDBMIQEIQKTKQFA==== | The Base32 encoded secret key to use when generating a one-time password to authenticate to the website. |
DAST_AUTH_OTP_SUBMIT_FIELD | selector | css:input[type=submit] | A selector describing the element that is clicked on to submit the OTP form when it is separate from the username. |
DAST_AUTH_PASSWORD | String | P@55w0rd! | The password to authenticate to in the website. |
DAST_AUTH_PASSWORD_FIELD | selector | name:password | A selector describing the element used to enter the password on the login form. |
DAST_AUTH_SUBMIT_FIELD | selector | css:input[type=submit] | A selector describing the element clicked on to submit the login form for a single-page login form, or the password form for a multi-page login form. |
DAST_AUTH_SUCCESS_IF_AT_URL | URL | https://www.site.com/welcome* | A URL that is compared to the URL in the browser to determine if authentication has succeeded after the login form is submitted. Wildcard * can be used to match a dynamic URL. |
DAST_AUTH_SUCCESS_IF_ELEMENT_FOUND | selector | css:.user-avatar | A selector describing an element whose presence is used to determine if authentication has succeeded after the login form is submitted. |
DAST_AUTH_SUCCESS_IF_NO_LOGIN_FORM | boolean | true | Verifies successful authentication by checking for the absence of a login form after the login form has been submitted. This success check is enabled by default. |
DAST_AUTH_TYPE | string | basic-digest | The authentication type to use. |
DAST_AUTH_URL | URL | https://www.site.com/login | The URL of the page containing the login form on the target website. DAST_AUTH_USERNAME and DAST_AUTH_PASSWORD are submitted with the login form to create an authenticated scan. |
DAST_AUTH_USERNAME | string | [email protected] | The username to authenticate to in the website. |
DAST_AUTH_USERNAME_FIELD | selector | name:username | A selector describing the element used to enter the username on the login form. |
DAST_SCOPE_EXCLUDE_URLS | URLs | https://site.com/.*/sign-out | The URLs to skip during the authenticated scan; comma-separated. Regular expression syntax can be used to match multiple URLs. For example, .* matches an arbitrary character sequence. |
DAST_AUTH_REPORT | boolean | true | Set to true to generate a report detailing steps taken during the authentication process. You must also define gl-dast-debug-auth-report.html as a CI job artifact to be able to access the generated report. The report's content aids when debugging authentication failures. Defaults to false. |