Skip to main content

Overview

DAST scans a running application over HTTP — unlike SAST/SCA, it needs a live, reachable deployment. So the DAST stage belongs after your pipeline has deployed the app to a staging or test environment. The stage downloads a helper script (dast.sh), triggers a scan against your deployed URL, polls until it completes, and fails the build when findings exceed your chosen severity threshold.
Prerequisite — verify the target domain. Because DAST sends real attack traffic, CodeAnt only scans domains your organization has proven it owns. Add and verify the target’s domain once on the DAST → Domains page before adding this stage. If the domain isn’t verified, the scan returns 403 needs_verification and the build fails with a message telling you to verify it.

Jenkins Pipeline

Add the following stage to your Jenkinsfile. Place it after the stage that deploys your app to staging: 
pipeline {
    agent any

    environment {
        ACCESS_TOKEN = credentials('ACCESS_TOKEN')
        API_BASE     = 'https://api.codeant.ai'
        // The deployed/staging URL to scan. Its host must be a verified
        // domain in CodeAnt (add & verify it on the DAST → Domains page).
        TARGET_URL   = 'https://staging.your-app.com'
    }

    stages {
        // 👇 Deploy your app to a staging environment in an earlier stage —
        //    DAST scans a running application, so it must be live first.

        stage('DAST Scan') {
            steps {
                script {
                    // Extract org/repo from the Git URL (identifies your org)
                    def repoName = env.GIT_URL.replaceAll(/.*[\/:]([^\/]+\/[^\/]+?)(\.git)?$/, '$1')

                    if (!env.ACCESS_TOKEN) {
                        error "ERROR: ACCESS_TOKEN is not set!"
                    }

                    echo "Downloading CodeAnt DAST script..."
                    sh """
                        curl -sS -X GET "${API_BASE}/analysis/ci/dast/script/get" \\
                            --output dast.sh.b64
                        base64 -d dast.sh.b64 > dast.sh
                        chmod +x dast.sh
                    """

                    echo "Running DAST scan against ${TARGET_URL}..."
                    sh """
                        ./dast.sh \\
                            -a "${ACCESS_TOKEN}" \\
                            -r "${repoName}" \\
                            -g "${TARGET_URL}" \\
                            -s github \\
                            -f high \\
                            -t 600 \\
                            -p 30
                    """

                    echo "DAST Gate PASSED"
                }
            }
            post {
                failure {
                    echo "DAST Gate FAILED"
                }
                always {
                    sh "rm -f dast.sh dast.sh.b64"
                    archiveArtifacts artifacts: 'dast_results.json', allowEmptyArchive: true
                }
            }
        }
    }
}
Important:
  • In Manage Jenkins → Credentials, add a Secret text credential with ID ACCESS_TOKEN containing your CodeAnt token (cdt_…). See API Tokens for how to create one.
  • Set TARGET_URL to the deployed app/staging URL produced by your pipeline. Its host must be a verified domain (see the prerequisite above).
  • dast.sh runs the scan start → poll → gate in a single command and writes a dast_results.json you can archive.

How it works

  1. Deploy first An earlier stage deploys your application to a reachable staging/test environment.
  2. Download script The stage fetches the DAST runner (dast.sh) from the CodeAnt API endpoint.
  3. Start scan dast.sh triggers a scan against TARGET_URL and receives a scan_id / domain_id.
  4. Poll for results It polls until the scan completes, using:
    • Timeout: 600 seconds (10 minutes) — DAST is slower than static scans
    • Poll interval: 30 seconds
  5. Gate the build When the scan finishes, the build fails if any severity at or above --fail-on (default high) has findings, and passes otherwise.

Script Parameters

The dast.sh script accepts the following parameters:
ParameterDescriptionRequiredExample
-a, --access-tokenCodeAnt API token (cdt_…) — see API TokensYes${ACCESS_TOKEN}
-r, --repoRepository in owner/repository format — identifies your orgYes${repoName}
-g, --target-urlDeployed app/staging URL to scanYeshttps://staging.your-app.com
-s, --serviceVCS provider (github, gitlab, bitbucket, azuredevops)Nogithub
-f, --fail-onFail build on this severity or higher: critical, high, medium, low (default: high)Nohigh
-t, --timeoutPolling timeout in seconds (default: 600)No600
-p, --poll-intervalPoll interval in seconds (default: 30)No30
-u, --base-urlBase URL for the VCS service (optional)Nohttps://github.com
-n, --no-waitTrigger the scan only, don’t poll for resultsNo

What DAST checks

DAST actively probes your running application for runtime vulnerabilities, including:
  • SQL injection (including blind SQLi)
  • Cross-site scripting (reflected & stored)
  • CSRF, open redirects, and CRLF injection
  • Command execution, file inclusion, SSRF, and XXE
  • Missing/weak security headers, CSP, and cookie flags
Findings are AI-reviewed to flag likely false positives, and each is rolled up by severity (critical / high / medium / low) — that rollup is what the --fail-on gate evaluates.
The Jenkins flow scans the target URL with default settings. For OpenAPI/Swagger-aware API scans (which add coverage of your REST endpoints), run the scan from the DAST → Domains page in the dashboard, where you can attach an OpenAPI spec to the domain.

Best Practices

  1. Scan after deploy: Always run the DAST stage against a freshly deployed staging environment.
  2. Start with --fail-on high: Block on critical/high first, then tighten to medium once your app is clean.
  3. Archive results: Keep dast_results.json as a build artifact for auditability.
  4. Keep tokens secure: Never commit access tokens — always use Jenkins Credentials.
  5. Give scans time: DAST is slower than static analysis; raise -t for large applications.

Jenkins Built-in Variables

VariableDescriptionExample
${env.GIT_URL}Repository URLhttps://github.com/user/repo.git
${env.GIT_COMMIT}Current commit SHAabc123def456
${env.GIT_BRANCH}Current branch nameorigin/main
${env.BUILD_NUMBER}Build number42

Troubleshooting

Domain not verified

If the scan fails with domain not verified / needs_verification:
  • Add and verify the target’s domain on the DAST → Domains page (apex verification also covers subdomains).
  • Make sure TARGET_URL’s host matches the verified domain.

Scan times out

If the scan doesn’t complete within the timeout:
  • Increase the timeout, e.g. -t 1200 (20 minutes), for larger applications.
  • Confirm the target URL is reachable from the CodeAnt scanner.

Authentication failures

If you see “Access token invalid”:
  • Verify your ACCESS_TOKEN credential holds a valid CodeAnt token (cdt_…) that hasn’t been revoked.
  • Ensure the token belongs to the same organization as the repository.
  • Check that the credential ID matches exactly.

Target not reachable

If the scan can’t reach your app:
  • Ensure the staging deployment finished successfully before the DAST stage runs.
  • Confirm the URL is publicly reachable (or reachable from your CodeAnt scanner network).
With DAST in your pipeline, every deploy to staging is automatically probed for runtime vulnerabilities before it reaches production.