Stage: dast
The dast stage runs dynamic application security testing against the
running application — what static analysis can’t see: misconfigured headers,
exposed endpoints, auth gaps. It runs after the dev deploy and feeds its
findings back into the evidence trail. All jobs are allow_failure: true.
Part of the Full pipeline action map. Use the Fullscreen button on the diagram to view it edge-to-edge.
flowchart TD
DEPLOY["deploy:helm:dev<br/>(optional dependency)"]
BOOT["dast:bootstrap-profiles<br/>create/refresh ZAP scanner + site profiles"]
subgraph LIVE["Against the live dev cluster"]
direction TB
PORTAL["dast:portal:dev<br/>ZAP baseline — karc-portal"]
PODTATO["dast:podtato:dev<br/>ZAP baseline — podtato-head"]
end
CI["dast:podtato:ci<br/>in-CI passive scan of frontend image<br/>(no cluster, ~5 min, every MR)"]
subgraph MAN["On-demand (manual)"]
direction TB
OD1["dast:on-demand — portal"]
OD2["dast:podtato:on-demand — podtato"]
RPT["dast:postsync:qa:report<br/>re-attest in-cluster qa scan to Evidence Vault / Fides"]
end
DEPLOY --> LIVE
BOOT --> LIVE
class BOOT,PORTAL,PODTATO,CI,OD1,OD2,RPT dast
class DEPLOY io
classDef dast fill:#e8590c,stroke:#9a3b08,color:#ffffff
classDef io fill:#57606a,stroke:#32383f,color:#ffffff
Jobs in this stage
Section titled “Jobs in this stage”| Job | What it does | Why |
|---|---|---|
dast:bootstrap-profiles | Creates/refreshes the ZAP scanner profile and the per-cloud site profiles. | Corrects profile drift automatically; rerun after token rotation. |
dast:portal:dev | ZAP baseline scan of the deployed karc-portal (skips k3d/MR/no-creds). | Automated post-deploy security validation on main. |
dast:podtato:dev | ZAP baseline scan of the deployed podtato-head entry service. | Same pattern as the portal, against the demo app’s ingress. |
dast:podtato:ci | Passive scan of the frontend image in the pipeline (no deploy). | A fast (~5 min) DAST pass on every MR without needing a cluster or public URL. |
dast:on-demand, dast:podtato:on-demand | Manual ZAP scans against a fixed target URL. | Operator-driven scanning outside the automatic flow. |
dast:postsync:qa:report | Fetches a qa in-cluster ZAP report and re-attests it to the Evidence Vault. | Fallback when the in-cluster attestation couldn’t reach the Evidence Vault (transient egress). |
Why this stage exists
Section titled “Why this stage exists”Static scans (in security) prove the code and images are clean at rest; DAST proves the application is safe while running. Running it after the dev deploy means there’s a live target, and the fast in-CI passive scan gives every merge request a dynamic check even before a cluster deploy exists.
Stages: deploy-dev → dast → deploy-qa · all stages