Breach and Attack Simulation (ULTIMATE ALL)
- Introduced in GitLab 15.11 as an Incubating feature.
- Included in the
Security/BAS.latest.gitlab-ci.yml
in GitLab 16.0.
DISCLAIMER: Breach and Attack Simulation is a set of incubating features being developed by the Incubation Engineering Department and is subject to significant changes over time.
Breach and Attack Simulation (BAS) uses additional security testing techniques to assess the risk of detected vulnerabilities and prioritize the remediation of exploitable vulnerabilities.
For feedback, bug reports, and feature requests, see the feedback issue.
WARNING: Only run BAS scans against test servers. Testing attacker behavior can lead to modification or loss of data.
Extend Dynamic Application Security Testing (DAST)
You can simulate attacks with DAST to detect vulnerabilities. By default, DAST active checks match an expected response, or determine by response time whether a vulnerability was exploited.
To enable BAS extended DAST scanning for your application, use the dast_with_bas
job defined
in the GitLab BAS CI/CD template file. Updates to the template are provided with GitLab
upgrades, allowing you to benefit from any improvements and additions.
-
Include the appropriate CI/CD template:
-
BAS.latest.gitlab-ci.yml
: Latest version of the BAS template. (Introduced in GitLab 16.0).
WARNING: The latest version of the template may include breaking changes. Use the stable template unless you need a feature provided only in the latest template.
For more information about template versioning, see the CI/CD documentation.
-
-
Choose one of the following options for running BAS extended DAST scans:
-
Enable a separate BAS extended DAST job
- You're not using the latest DAST template yet.
- Continue using a stable version of the DAST security analyzer image for DAST scans.
- Create a duplicate
dast_with_bas
job which extends your existing DAST job configuration.
-
- You're already using the latest DAST template rather than the stable template.
- Extend your existing DAST job to include the latest DAST security analyzer image tag from the Breach and Attack Simulation SEG.
-
-
Setup a callback server to enable callback attacks.
Enable a separate BAS extended DAST job
To maintain a separate DAST job while testing the BAS extended DAST image:
-
Add a
dast
stage to your GitLab CI/CD stages configuration.stages: - build - test - deploy - dast
-
Set the
DAST_WEBSITE
CI/CD variable.dast_with_bas: variables: DAST_WEBSITE: http://yourapp
Extend an existing DAST job
To enable Breach and Attack Simulation features inside of an existing DAST job:
-
Follow the steps in Create a DAST CI/CD job.
-
Extend DAST to using the extends keyword to your DAST job's configuration:
dast: extends: .dast_with_bas
-
Disable the
dast+job
job included in the BAS template by settingDAST_BAS_DISABLED
:variables: DAST_BAS_DISABLED: "true"
Enable callback attacks
DISCLAIMER: This page contains information related to upcoming products, features, and functionality. It is important to note that the information presented is for informational purposes only. Please do not rely on this information for purchasing or planning purposes. As with all projects, the items mentioned on this page are subject to change or delay. The development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Perform Out-of-Band Application Security Testing (OAST) for certain active checks.
-
Extend the
.dast_with_bas_using_services
job configuration using the extends keyword:dast: extends: .dast_with_bas_using_services dast_with_bas: extends: # NOTE: extends overwrites rather than merges so dast must be included in this list. - dast - .dast_with_bas_using_services
-
Use a !reference tag to pull in the default
callback
service container in yourservices
.services: # NOTE: services overwrites rather than merges so it must be referenced to merge. - !reference [.dast_with_bas_using_services, services] - name: $CI_REGISTRY_IMAGE alias: yourapp
You can also manually enable callback attacks by making sure to:
- Set the
DAST_FF_ENABLE_BAS
CI/CD variable totrue
. - Enable both the application being tested and callback service container using services.
- Enable container-to-container networking making the callback service accessible in the job.
- Set
DAST_BROWSER_CALLBACK
to includeAddress:$YOUR_CALLBACK_URL
key/value pair where the callback service is accessible to the Runner/DAST container.