Dastardly is a free, lightweight web application security scanner for your CI/CD pipeline. It is designed specifically for web developers, and checks your application for seven security issues that are likely to interest you during software development. Dastardly is based on the same scanner as Burp Suite (Burp Scanner).
Dastardly uses Docker to run in your CI/CD pipeline.
We provide specific instructions for integrating Dastardly with a number of CI/CD platforms, and a generic docker run command that enables you to integrate Dastardly with any CI/CD platform. For more information, see "Integrating Dastardly with your existing CI/CD platform".
Dastardly requires minimal configuration. When running a Dastardly scan, all you need to do is provide the seed URL you wish to scan. The seed URL is the point from which Dastardly scans your target web application. From here, Dastardly scans any URLs it finds below the seed URL in the hierarchy.
Dastardly uses a dynamic (DAST) methodology to scan your target web application. It scans your target application in a deployed state. This is unlike static (SAST) scanning, which looks at application code before it is deployed.
Dastardly scans are limited to ten minutes. Note that this may not be enough time to achieve full coverage of larger or more complex web applications. Burp Suite Enterprise Edition and Burp Suite Professional are both capable of scanning without this limitation.
Dastardly outputs its scan reports in JUnit XML format. Issues Dastardly finds are accompanied by detailed remediation advice, and evidence in the form of the request sent by Dastardly to produce the issue, as well as the response sent by the application.
We recommend that you run Dastardly on a machine that has a minimum of 4 CPU cores and 4 GB of RAM. While this should be suitable for most use cases, larger or more complex target applications may require more resources.
Your CI/CD build agent or node must be configured to run Docker containers.
The CI/CD build agent or node where Docker is running must be able to access PortSwigger's public image repository (public.ecr.aws/portswigger/) as well as the target application you want to scan.
PortSwigger provides support for any problems you may encounter when scanning applications using Dastardly. We do not provide support for problems involving your CI/CD platform, or integrating Dastardly with that platform.
If you have a problem with a Dastardly scan, please check our user forum and / or check the Dastardly FAQs.