Description

Dynamic Application Security Testing (DAST) should be run as a part of the product CI. It requires a deployed instance of the Offering or application, so it is best owned by the QE team, who should already have a process to automatically deploy such an environment and relevant expertise in testing methodologies.
DAST must be performed prior to any major version release and following significant changes in the code base or architecture. If your workflow supports it, we recommend running it more often as part of QE.
We recommend integrating DAST into the CI/CD pipeline if possible and during QE.

Definition of Done

• DAST has been integrated into the product CI or is run as part of the QE test plans prior to any major version release and following significant changes in the code base or architecture.
• One of the following:
  • A link to the CI definition that shows a DAST tool has been integrated into the pipeline has been added to https://product-security.pages.redhat.com/offering-registry/offerings/openshift-servicemesh/evidence/dast/
  • A link to the QE test plans that show a DAST tool is run has been added to https://product-security.pages.redhat.com/offering-registry/offerings/openshift-servicemesh/evidence/dast/

References and Examples

• Example DAST Workflow Integration
• DAST Workflow