How to integrate DAST into your CircleCI pipeline?

By
Neda Ali
Reviewed by
Adheeb A
Published on
20 Jun 2024
11 min read
DevSecOps

DAST tools dynamically analyze running applications by simulating attacks and pinpointing potential weaknesses. Now, imagine weaving this security net directly into your CI pipeline through a plugin?

With its flexibility and extensibility, CircleCI becomes the perfect stage for orchestrating your security dance.

By integrating DAST seamlessly into your CircleCI workflow, you transform security from a gatekeeper to a partner in your development journey. In this blog we will show you how you can integrate DAST into your CircleCI pipeline.

Why does your organization need DAST?

Dynamic Application Security Testing (DAST) is a crucial component of any organization’s security strategy for several compelling reasons:

  • DAST dynamically analyzes running applications from the outside, simulating real-world attacks.

  • Unlike static analysis tools that inspect source code, DAST evaluates applications in their deployed state. This means it tests how the application behaves in a real-world environment, considering factors such as server configurations, runtime dependencies, and user inputs, resulting in more realistic security testing outcomes.

  • By incorporating DAST into your development workflow, vulnerabilities can be detected early in the software development lifecycle. This allows teams to address security issues promptly, minimizing the potential impact and cost of remediation.

  • DAST helps organizations to ensure compliance with data protection and privacy regulations.

Now DAST has become an irreplaceable tool in the arsenal of a lot of organizations’ application security programs.

In this article we will learn how to automate your secure deployment by integrating DAST into your CircleCI pipeline, leveraging the powerful capabilities of Beagle Security.

As a trusted leader in application security, Beagle Security offers an advanced DAST platform designed to enhance the security posture of your applications while seamlessly integrating into your existing DevOps workflows.

What is secure deployment?

Secure deployment refers to the process of deploying software or applications in a manner that minimizes security risks and ensures the integrity, confidentiality, and availability of the deployed system.

It encompasses a series of practices and procedures designed to protect the application and its underlying infrastructure from potential security threats throughout the deployment process.

Implementing secure settings, disabling unnecessary services, and applying patches and updates regularly to address known vulnerabilities ensures that all components are deployed securely.

What is CircleCI?

CircleCI is a cutting-edge continuous integration and continuous delivery (CI/CD) platform that revolutionizes the software development lifecycle. It automates the process from code commit to deployment, ensuring efficiency and reliability throughout.

With CircleCI, teams can build, test, and deploy applications, all while minimizing manual errors and accelerating time-to-market.

Additionally, CircleCI facilitates seamless continuous delivery by automating the deployment of applications to various environments post-testing.

Integrating DAST into your CircleCI pipeline

Integrating DAST into your CircleCI pipeline is a strategic move towards bolstering your application’s security posture.

Two major prerequisites must be met before integration:

  • Access to a CircleCI account and project.

  • Access to a Beagle Security account with valid access and application tokens.

Step 1: Configure your CircleCI project

Circle CI home page
  • Sign in to your CircleCI account.

  • Select your project: Navigate to the project for which you want to enable Beagle Security’s automated penetration tests.

  • Configure config.yml:

Create a .circleci folder in your project repository if it doesn’t exist.

Within the .circleci folder, create or modify the config.yml file.

Circle CI yml file

Step 2: Add Beagle trigger job to Config.yml

  • Add the following snippet to the jobs: section of your config.yml file:
jobs: 

  beagle-trigger: 

    docker: 

      - image: beaglesecurity/beagle-test-trigger-common:latest 

    steps: 

      - run: 

          command: trigger-test

Step 3: Configure workflow

Circle CI configuration

Add the beagle-trigger job to the jobs: section of your workflow:

workflows: 

  version: 2 

  your-workflow-name: 

    jobs: 

      - job-1 

      - job-2 

      - beagle-trigger 

Replace your-workflow-name with the name of your CircleCI workflow and ensure that job-1 and job-2 represent your existing jobs.

Step 4: Set environment variables

Add the required environment variables (ACCESS_TOKEN and APPLICATION_TOKEN) to your CircleCI project:

  • Click on the gear icon in your CircleCI project.

  • Navigate to environment variables and click on Add Variable.

Environment variables
  • Ensure that the variable names are set as follows: ACCESS_TOKEN and APPLICATION_TOKEN.
Environment variables addition screen

Set their corresponding values to your Beagle Security access token and application token, respectively.

Step 5: Generating access token in Beagle Security

  • You can locate your Personal Access Token either by accessing the Profile drop-down menu or by navigating to the Profile section.
Accessing personal access token in Beagle Security
Creating access token in Beagle Security
  • Click on the New personal access token button to generate a fresh one.

  • Name the access token and optionally set an expiry date.

  • Define the token’s Scope based on your specific requirements.

  • Once created, you’ll receive a unique access token that can be copied for use.

Step 6: Where can you find the application token in Beagle Security?

To get the application token, you must first add the URL as an application within Beagle Security.

Application token in Beagle Security
  • Go to the Application and navigate to its Settings.

  • Select the General tab.

  • You’ll be able to copy the Application token for the specific application from there

Step 6: Trigger the build

  • Now, trigger your CircleCI build, either through a code push, pull request, or manually via the CircleCI dashboard.

Step 7: Monitor Beagle trigger workflow

  • Once the build is triggered, monitor the CircleCI dashboard to observe the beagle-trigger job executing. This job will initiate Beagle Security’s automated penetration test on your application.

Step 8: Viewing vulnerabilities in Beagle Security after DAST

Once the DAST is completed for the CircleCI pipeline, you can view the results from your Beagle Security dashboard.

You’ll be able to see the following details in the application dashboard:

  • Security score of the application

  • Vulnerability classification based on criticality

  • Graphs for vulnerability catalog & vulnerability classification

  • OWASP Top 10 indicator mapping

  • Security posture of the application over a period

  • Vulnerability fixing rate graph

  • Past test sessions

Check out a demo application dashboard in Beagle Security.

Beagle Security application dashboard

To delve deeper into the vulnerabilities, you can go to the detailed results dashboard of a particular test session. The results dashboard will include the following information:

  • Detailed listings of all vulnerability findings

  • Vulnerability tags and classification for each vulnerability finding against security standards

  • Detailed description, contextual recommendation, proof of exploit and occurrences of each vulnerability finding

  • Classification of vulnerability findings against OWASP, OWASP Top 10 & CWE Top 25

  • You can also download these results as PDF reports against OWASP, HIPAA, GDPR & PCI DSS standards

Check out a demo results dashboard in Beagle Security.

Beagle Security result dashboard

Summing up

Integrating Beagle Security’s DAST into your CircleCI pipeline automation is a strategic decision that fortifies your application’s security while streamlining your development workflow.

It fosters a culture of security-conscious development within your team, where security considerations are integrated into every code change and deployment.

You can automate DAST scans, receive actionable insights into potential security risks, and accelerate the delivery of secure and reliable software to your users with Beagle Security.

Ultimately, by prioritizing security within your CircleCI pipeline, you demonstrate a commitment to delivering high-quality products that instill trust and confidence among your customers and stakeholders.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Neda Ali
Neda Ali
Product Marketing Specialist
Contributor
Adheeb A
Adheeb A
DevSecOps Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.