DAST Scanner

Table of Contents

1. Purpose

2. Installation

3. Quick Start

4. Usage

5. Built-in Scan Profiles

6. Authentication

7. CI/CD Integration

8. Command Reference

9. Exit Codes

Purpose

The DAST Scanner (xy-dast) performs automated dynamic security testing of running web applications and REST APIs. It tests applications from the outside -- simulating real-world attacks against live endpoints -- to identify vulnerabilities that are only exploitable at runtime.

The scanner supports different application types:

• Traditional server-rendered web apps (PHP, JSP, ASP.NET)

• SPA JavaScript-heavy Single Page Applications (React, Angular, Vue)

• REST API with OpenAPI/Swagger specifications

Installation

The DAST scanner is distributed as a Docker image (xygeni/xy-dast). Install a lightweight wrapper directly from the image — no separate download is needed. The wrapper is a small, signed script that delegates to docker compose run, so once installed you invoke xy-dast as if it were a native command.

Requirements

• Docker Engine 20.10+ (or Docker Desktop) with Compose v2 — i.e. the docker compose ... subcommand. The legacy docker-compose v1 binary is not supported.

• A directory on your PATH to drop the wrapper into. This guide uses ~/.local/bin (Linux/macOS) and %USERPROFILE%\.local\bin (Windows).

Step 1 — Create the install directory and ensure it is on your PATH

This is the most common source of "command not found: xy-dast" issues. The install directory must exist before the install command (Docker creates it as root if it does not, which then fails to write), and it must be on your PATH for the short xy-dast command to work.

Step 2 — Install the wrapper from the Docker image

The image's install subcommand drops two files into the mounted directory: the xy-dast wrapper script itself and a sidecar xy-dast-compose.yml that holds the image reference, environment forwarding, and runtime parameters.

Verify:

If you get command not found (or not recognized as ... cmdlet), revisit Step 1 — the directory is almost certainly not on your PATH yet.

Quick install vs. secure install

The plain install command above is a quick install: convenient for desktop and ad-hoc use. The wrapper itself is signed at release time, but the image reference written into xy-dast-compose.yml is a mutable tag (e.g. xygeni/xy-dast:6.7.0).

For production environments — and any setting that needs defence-in-depth against registry-side supply-chain attacks — use the secure install flow, which pins the image to its immutable digest and verifies the cosign (Sigstore keyless) signature before installing:

To upgrade later, repeat the four-step flow with the new version.

How the wrapper works

• It is a pre-built, byte-stable script signed at release time (Authenticode for .ps1); install copies it byte-exact so the signature is preserved.

• It delegates to docker compose -f xy-dast-compose.yml run --rm xy-dast …. Compose handles env forwarding (XYGENI_TOKEN, XYGENI_URL, XYGENI_DASHBOARD_URL, XYGENI_DAST_DIR), network_mode: host, and shm_size: 2gb.

• When you pass -o <file>, the wrapper mounts the output directory into the container so the report appears on your host filesystem.

• It looks for the sidecar at <wrapper-dir>/xy-dast-compose.yml by default. Override the location with the XY_DAST_COMPOSE_FILE environment variable. To pin a different image, edit the image: line in the sidecar or re-run install --image <ref>.

Quick Start

Scan a web application:

Results are uploaded to the Xygeni platform by default. To save a local report instead, use -o:

Scan a REST API with an OpenAPI specification:

Scan a Single Page Application:

Scan a GraphQL API:

Scan a SOAP web service:

Usage

The DAST Scanner is launched using the xy-dast scan [options] command.

To view all available options, use the --help flag:

The most important options are:

• Target URL (-u or --url) -- the base URL of the application to scan (required).

• Scan profile (-p or --profile) -- selects the scan strategy: traditional, spa, openapi, quick, or deep.

• OpenAPI spec (--openapi) -- URL or file path to an OpenAPI/Swagger specification (for REST API scans).

• Output file (-o or --output) -- path for the JSON report. Use - for stdout.

• Project name (-n or --project-name) -- identifies the project in the Xygeni platform.

• Upload -- reports are uploaded to the Xygeni backend by default. Disable with --no-upload.

• Filtering -- use --exclude-rules to skip noisy rules, or --risk-threshold to set a minimum severity.

Custom Scan Settings

Override timing defaults directly from the command line:

Run a passive-only scan (no active attacks):

Filtering Results

Deep Crawl

The --deep-crawl option runs a headless browser-based crawler before the main scan. It discovers URLs that traditional spiders miss, especially in JavaScript-heavy applications where content is rendered dynamically.

Discovered URLs are fed as seed URLs into the scanner's spider, improving coverage.

You can tune the crawl depth and timeout:

The deep profile enables deep crawl by default.

Vulnerability Check

The --vuln-check option runs a template-based vulnerability scanner after the main scan completes. It checks the discovered endpoints against thousands of known CVEs, misconfigurations, and exposures — complementing the active scanning with signature-based detection.

Both features can be combined for maximum coverage:

Vulnerability check findings appear in the same report as regular scan findings, with detector IDs prefixed by vuln/ (e.g., vuln/CVE-2021-44228). See DAST Detectors for details.

You can filter by severity and control the scan rate:

The deep profile enables vulnerability check by default.

Automatic Profile Selection

If you are unsure which profile fits your target, use --auto-profile to let the scanner probe the application and select the most appropriate profile:

This detects the technology stack (e.g., React SPA, REST API with OpenAPI) and selects the corresponding profile. If --profile is also specified, it takes precedence.

To see the available profiles:

Built-in Scan Profiles

Profiles control how the scanner behaves for different types of applications. Select a profile with --profile <name>.

List all available profiles (including custom ones):

Authentication

The DAST scanner supports authenticated scanning to test areas of the application behind login.

Form-Based Login

Bearer Token

Read the token from an environment variable to avoid exposing secrets in command history:

API Key / Custom Header

For APIs that authenticate via a custom header (e.g., X-API-Key):

HTTP Basic Authentication

For targets protected with HTTP Basic auth (RFC 7617):

Client Certificate (mTLS)

For targets that require mutual TLS, supply a PKCS#12 (.p12 / .pfx) certificate. The password is read from an environment variable and is redacted from any log output:

mTLS is orthogonal to the other authentication methods — combine it with --bearer-token, --api-key-*, --basic-*, or form login when the target requires both transport-level and application-level auth. The certificate path can also be set via the clientCertificate block in a profile YAML.

CI/CD Integration

Use --quiet for minimal output and --fail-on to gate builds on vulnerability severity:

The --quiet flag outputs a single summary line:

Pipe JSON to stdout for downstream processing:

SARIF output for GitHub Code Scanning

--format sarif produces SARIF v2.1.0 output that GitHub Code Scanning, Azure DevOps, the VS Code SARIF Viewer, and most CI/CD security dashboards ingest natively. Findings appear in the repo's Security → Code scanning tab alongside SAST/SCA results.

The --format flag only affects the file written by -o. The Xygeni backend upload payload (when --no-upload is omitted) is always Xygeni JSON regardless of --format.

Saving raw scan artifacts

Use --keep-details to save the underlying scanner output and the generated automation plan alongside the report. This is the easiest way to debug a scan that does not produce expected findings:

GitHub Actions Example

GitLab CI Example

Command Reference

Exit Codes

Environment Variables