GitLab DAST Scanning is a Dynamic Application Security Testing capability that analyzes a running web application for security vulnerabilities. It simulates real-world attacks against deployed services to identify issues such as SQL injection, cross-site scripting (XSS), authentication flaws, and misconfigurations. Unlike static analysis, it evaluates the application from the outside, without access to source code.
How It Works
The scanner runs against a live environment, typically a staging or review app created during the CI/CD pipeline. After deployment, the job launches an automated security scanner that crawls the application, maps accessible endpoints, and sends crafted HTTP requests designed to trigger common vulnerabilities.
It behaves like an external attacker. The tool inspects responses for unexpected behavior, error messages, or insecure patterns. Because it operates over HTTP or HTTPS, it can detect runtime issues that only appear when the application is fully assembled, configured, and connected to databases or third-party services.
Results are collected as structured security reports within the pipeline. Findings include severity levels, affected URLs, and remediation guidance. Teams can configure merge request approvals, pipeline gates, or dashboards to enforce policies based on detected risk.
Why It Matters
Many security flaws emerge only at runtime due to misconfigurations, authentication flows, or integration issues. Static testing cannot catch these. By scanning deployed applications automatically in CI/CD, teams detect exploitable weaknesses before production release.
For operations and platform teams, this reduces incident risk and shortens feedback loops between development and security. It also supports compliance requirements by providing auditable, repeatable security validation embedded directly in the delivery workflow.
Key Takeaway
GitLab DAST Scanning embeds automated runtime attack simulation into your pipeline, helping teams catch real-world security vulnerabilities before they reach production.