Dastardly, from Burp Suite
This extension provides a task that runs a Dastardly vulnerability scan against a target site. On completion, a JUnit XML report is generated containing information about the vulnerabilities found, where
they were located, additional information about the vulnerability and links to our learning resources with suggestions on how to fix them.
About Dastardly
- Dastardly is a free, lightweight web application security scanner for your CI/CD pipeline.
- It is designed specifically for web developers, and checks your application for seven security issues that are likely to interest you during software development.
- Dastardly is based on the same scanner as Burp Suite (Burp Scanner).
For full documentation on using Dastardly, please consult the Dastardly documentation.
Already used Dastardly? Tell us what you think here. To unlock more scanning capabilities, check out our Burp Suite Enterprise Edition CI-Driven Scans.
scanTargetUrl
(Required) The full URL (including scheme) of the site to scan.
outputFileName
(Optional) The name of the output report file. This will be stored in the pipeline agent's home directory. For more information about agents, see Azure Pipelines agents.
The default value is /dastardly/dastardly-report.xml
. For Dastardly to be able to write to your file, the path must start with /dastardly
.
Examples
Below are some examples of how to use the action by running a Dastardly scan against our very own Gin and Juice Shop site. This is a deliberately vulnerable web application designed for testing web vulnerability scanners.
Basic Usage
- task: dastardly-scan-in-azure@<latest-major-version-number>
inputs:
scanTargetUrl: "https://ginandjuice.shop"
displayName: Run Dastardly Scan
Test Reporting
The Dastardly scan reports an overview of the vulnerabilities found to the pipeline's standard output, but more detail can be found in the report file. If you want to view the results of the scan in the built-in pipeline tests view, you can use Azure's task to publish the scan report as test results. To learn more about this task, see Publish Test Results v2.
For how to implement this with a Dastardly scan, see the example below.
- task: dastardly-scan-in-azure@<latest-major-version-number>
inputs:
scanTargetUrl: "https://portswigger-labs.net"
- task: PublishTestResults@2
condition: always()
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: 'dastardly-report.xml'
Using With Artifacts
To view the report file after the pipeline has run, you can save it as a pipeline Artifact. For more information on pipeline Artifacts, see Publish and Download pipeline Artifacts.
For how to implement this with a Dastardly scan, see the example below.
- task: dastardly-scan-in-azure@<latest-major-version-number>
inputs:
scanTargetUrl: "https://ginandjuice.shop"
outputFileName: "/dastardly/dastardly-report.xml"
- publish: $(System.DefaultWorkingDirectory)/dastardly-report.xml
artifact: DastardlyReport
condition: always()
- download: current
artifact: DastardlyReport
condition: always()
To view pipeline Artifacts, navigate to the Summary page of your pipeline run.
In this example we have used task conditions to make sure the artifact is published and downloaded even if the scan fails. To learn more about conditions, see Task types and usage.
Support
If you'd like help with this extension, or you have an issue or feature request, let us know. You can use our user forum.
The extension is maintained by PortSwigger.
If you're reporting an issue, please include:
- the version of the extension
- relevant logs and error messages
- steps to reproduce
License
Copyright PortSwigger 2023.
MIT licensed.