Integrating Dastardly with your CI/CD platform (generic instructions)

  • Last updated: July 3, 2023

  • Read time: 2 Minutes


Specific instructions are available for integrating Dastardly with the following CI/CD platforms:

You can integrate Dastardly with any CI/CD platform. Integration enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.

For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.

To integrate Dastardly with your CI/CD pipeline, include the following docker run command in your pipeline script:

docker run --user $(id -u) --rm -v $(pwd):/dastardly -e \ DASTARDLY_TARGET_URL=https://ginandjuice.shop -e \ DASTARDLY_OUTPUT_FILE=/dastardly/dastardly-report.xml \ public.ecr.aws/portswigger/dastardly:latest


You can set DASTARDLY_TARGET_URL to a seed URL for any application you want to scan.

In this example, DASTARDLY_TARGET_URL is set to https://ginandjuice.shop/ - this is a deliberately vulnerable web application designed for testing web vulnerability scanners.

The next time your pipeline runs, Dastardly will scan the application you have set under DASTARDLY_TARGET_URL.


You need to set DASTARDLY_OUTPUT_FILE to a location mapped to a directory on your machine - as in the example above.

The example above uses $(pwd) to map the /dastardly volume to your present working directory.

The Dastardly output file is a JUnit XML report that can be parsed by any JUnit XML parser.

If you run the command above multiple times, you will overwrite the JUnit report written by Dastardly.

Dastardly scan results

Dastardly scan results are available as a JUnit XML file when a scan is complete. Scans run for a maximum of ten minutes.

Remediation advice

Dastardly scan results include remediation advice for any security issues they find. This advice includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.


Dastardly scan results include evidence for any security issues found. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.

Was this article helpful?