Skip to content

Stage: dast

The dast stage runs dynamic application security testing against the running application — what static analysis can’t see: misconfigured headers, exposed endpoints, auth gaps. It runs after the dev deploy and feeds its findings back into the evidence trail. All jobs are allow_failure: true.

Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.

flowchart TD
  DEPLOY["deploy:helm:dev<br/>(optional dependency)"]
  BOOT["dast:bootstrap-profiles<br/>create/refresh ZAP scanner + site profiles"]

  subgraph LIVE["Against the live dev cluster"]
    direction TB
    PORTAL["dast:portal:dev<br/>ZAP baseline — karc-portal"]
    PODTATO["dast:podtato:dev<br/>ZAP baseline — podtato-head"]
  end

  CI["dast:podtato:ci<br/>in-CI passive scan of frontend image<br/>(no cluster, ~5 min, every MR)"]

  subgraph MAN["On-demand (manual)"]
    direction TB
    OD1["dast:on-demand — portal"]
    OD2["dast:podtato:on-demand — podtato"]
    RPT["dast:postsync:qa:report<br/>re-attest in-cluster qa scan to Evidence Vault / Fides"]
  end

  DEPLOY --> LIVE
  BOOT --> LIVE

  class BOOT,PORTAL,PODTATO,CI,OD1,OD2,RPT dast
  class DEPLOY io
  classDef dast fill:#e8590c,stroke:#9a3b08,color:#ffffff
  classDef io fill:#57606a,stroke:#32383f,color:#ffffff
JobWhat it doesWhy
dast:bootstrap-profilesCreates/refreshes the ZAP scanner profile and the per-cloud site profiles.Corrects profile drift automatically; rerun after token rotation.
dast:portal:devZAP baseline scan of the deployed karc-portal (skips k3d/MR/no-creds).Automated post-deploy security validation on main.
dast:podtato:devZAP baseline scan of the deployed podtato-head entry service.Same pattern as the portal, against the demo app’s ingress.
dast:podtato:ciPassive scan of the frontend image in the pipeline (no deploy).A fast (~5 min) DAST pass on every MR without needing a cluster or public URL.
dast:on-demand, dast:podtato:on-demandManual ZAP scans against a fixed target URL.Operator-driven scanning outside the automatic flow.
dast:postsync:qa:reportFetches a qa in-cluster ZAP report and re-attests it to the Evidence Vault.Fallback when the in-cluster attestation couldn’t reach the Evidence Vault (transient egress).

Static scans (in security) prove the code and images are clean at rest; DAST proves the application is safe while running. Running it after the dev deploy means there’s a live target, and the fast in-CI passive scan gives every merge request a dynamic check even before a cluster deploy exists.


Stages: deploy-devdastdeploy-qa · all stages