diff --git a/app/roadmap/devsecops/page.tsx b/app/roadmap/devsecops/page.tsx
index cf222740f..058a50a0f 100644
--- a/app/roadmap/devsecops/page.tsx
+++ b/app/roadmap/devsecops/page.tsx
@@ -247,6 +247,7 @@ const milestones: DevSecOpsMilestone[] = [
icon: Bug,
priority: 'important',
estimatedHours: 20,
+ link: '/guides/dast-integration',
},
{
name: 'Supply Chain Security',
diff --git a/content/guides/dast-integration/01-fundamentals.md b/content/guides/dast-integration/01-fundamentals.md
new file mode 100644
index 000000000..edd4bdbd1
--- /dev/null
+++ b/content/guides/dast-integration/01-fundamentals.md
@@ -0,0 +1,207 @@
+---
+title: 'DAST Fundamentals'
+description: 'Understand how Dynamic Application Security Testing works, the types of scans, and when to use DAST in your security strategy.'
+---
+
+# DAST Fundamentals
+
+Dynamic Application Security Testing (DAST) is a "black box" security testing approach that finds vulnerabilities by interacting with your running application. Unlike static analysis that reads code, DAST sends requests and analyzes responses—exactly like an attacker would.
+
+## How DAST Works
+
+A DAST scanner follows this workflow:
+
+### 1. Discovery (Crawling)
+
+The scanner explores your application to build a map of all endpoints:
+
+```bash
+# Example: ZAP spider discovers endpoints
+GET /
+GET /api/users
+GET /api/products
+POST /api/login
+```
+
+It follows links, submits forms, and executes JavaScript to find all possible entry points.
+
+### 2. Analysis (Passive Scanning)
+
+While crawling, the scanner passively analyzes responses for issues:
+
+- Missing security headers (CSP, HSTS, X-Frame-Options)
+- Exposed sensitive information (stack traces, version numbers)
+- Insecure cookies (missing HttpOnly, Secure flags)
+- Weak SSL/TLS configurations
+
+**No attacks yet**—just observation.
+
+### 3. Attack (Active Scanning)
+
+The scanner actively probes each endpoint with attack payloads:
+
+```bash
+# SQL Injection test
+GET /api/users?id=1' OR '1'='1
+
+# XSS test
+GET /search?q=
+
+# Path Traversal test
+GET /files?path=../../../../etc/passwd
+```
+
+It analyzes responses to detect vulnerabilities:
+- Database errors → SQL injection possible
+- Script in response → XSS vulnerability
+- Sensitive file content → Path traversal
+
+### 4. Reporting
+
+Results are categorized by:
+- **Severity**: Critical, High, Medium, Low, Informational
+- **Confidence**: High, Medium, Low (likelihood of true positive)
+- **CWE/CVE**: Standard vulnerability identifiers
+- **OWASP Top 10**: Mapping to common vulnerability categories
+
+## Types of DAST Scans
+
+### Passive Scans
+
+**What**: Observe traffic without attacking
+**When**: Always-on monitoring, production environments
+**Speed**: Fast (no delays)
+**Risk**: None
+
+```yaml
+# Example: ZAP passive scan in CI/CD
+- name: Passive DAST
+ run: |
+ zap-baseline.py -t https://staging.example.com \
+ -r report.html
+```
+
+**Use cases**:
+- Continuous monitoring of production traffic
+- Initial reconnaissance
+- Compliance checks (security headers, cookie flags)
+
+### Active Scans
+
+**What**: Send attack payloads to test vulnerabilities
+**When**: Staging/test environments
+**Speed**: Slow (can take hours)
+**Risk**: High (can cause damage)
+
+```yaml
+# Example: ZAP active scan
+- name: Active DAST
+ run: |
+ zap-full-scan.py -t https://staging.example.com \
+ -r report.html \
+ -z "-config api.maxchildren=2"
+```
+
+**Use cases**:
+- Pre-release security testing
+- Penetration testing
+- Comprehensive vulnerability assessment
+
+### API Scans
+
+**What**: Test API endpoints using OpenAPI/Swagger specs
+**When**: APIs, microservices
+**Speed**: Medium
+**Risk**: Medium
+
+```bash
+# Example: ZAP API scan with OpenAPI spec
+zap-api-scan.py \
+ -t https://api.example.com/openapi.json \
+ -f openapi \
+ -r report.html
+```
+
+**Use cases**:
+- REST API security testing
+- GraphQL endpoint testing
+- Microservice security validation
+
+## What DAST Finds
+
+### Common Vulnerabilities Detected
+
+DAST tools can identify many critical vulnerabilities:
+
+- **SQL Injection**: Detects database query manipulation attempts
+- **Cross-Site Scripting (XSS)**: Finds script injection points
+- **Broken Authentication**: Tests session management and auth flows
+- **Sensitive Data Exposure**: Identifies unencrypted data transmission
+- **XML External Entities (XXE)**: Tests for XML parser vulnerabilities
+- **Broken Access Control**: Checks for IDOR and path traversal
+- **Security Misconfiguration**: Finds default credentials and misconfigurations
+- **Server-Side Request Forgery (SSRF)**: Tests for internal resource access
+
+### What DAST Misses
+
+DAST has blind spots:
+
+- **Unauthenticated endpoints**: Can't test behind login without credentials
+- **Complex workflows**: Multi-step attacks requiring business logic
+- **Client-side vulnerabilities**: Issues in mobile apps, desktop clients
+- **Code-level flaws**: Buffer overflows, race conditions (need SAST)
+- **Logic bugs**: Business rule violations that don't trigger errors
+
+## When to Use DAST
+
+### Perfect for:
+
+- **Pre-production validation**: Test staging before release
+- **API security**: Validate REST/GraphQL endpoints
+- **Compliance**: Meet PCI-DSS, SOC 2 requirements
+- **Regression testing**: Ensure security fixes work
+- **Third-party apps**: Test applications without source code
+
+### Not ideal for:
+
+- **Early development**: Too slow for fast iteration (use SAST)
+- **Production environments**: Risk of downtime/damage
+- **Complex authentication**: Requires manual setup
+- **Performance testing**: DAST scans are slow
+
+## DAST in the SDLC
+
+Integrate DAST at multiple stages for comprehensive security coverage. Best practice is to run DAST in staging environments with production-like configurations.
+
+## Common DAST Tools
+
+Popular DAST tools include:
+
+- **OWASP ZAP**: Open source, excellent for automation and CI/CD
+- **Burp Suite**: Commercial tool, best for manual testing and advanced features
+- **Nuclei**: Open source, fast scans with custom rules
+- **Acunetix**: Commercial, enterprise-focused with compliance features
+- **Netsparker**: Commercial, automated verification capabilities
+- **Arachni**: Open source, designed for web apps and distributed scanning
+
+## Key Metrics
+
+Track these to measure DAST effectiveness:
+
+- **Scan coverage**: Percentage of endpoints tested
+- **Vulnerability density**: Issues per 1000 requests
+- **False positive rate**: Percentage of findings that aren't real
+- **Mean time to remediate (MTTR)**: Days from detection to fix
+- **Scan duration**: Time to complete full scan
+
+## Next Steps
+
+Now that you understand DAST fundamentals:
+
+1. **[OWASP ZAP](./02-owasp-zap)** — Learn the most popular open-source DAST tool
+2. **[Burp Suite](./03-burp-suite)** — Master professional penetration testing
+3. **[CI/CD Integration](./04-cicd-integration)** — Automate DAST in your pipeline
+
+---
+
+**Remember**: DAST is one layer of defense. Combine with SAST, dependency scanning, and infrastructure security for comprehensive protection.
diff --git a/content/guides/dast-integration/02-owasp-zap.md b/content/guides/dast-integration/02-owasp-zap.md
new file mode 100644
index 000000000..b5c994698
--- /dev/null
+++ b/content/guides/dast-integration/02-owasp-zap.md
@@ -0,0 +1,363 @@
+---
+title: 'OWASP ZAP'
+description: 'Master OWASP ZAP for automated security testing. Learn passive and active scanning, API testing, and CI/CD integration.'
+---
+
+# OWASP ZAP (Zed Attack Proxy)
+
+OWASP ZAP is the world's most popular free and open-source DAST tool. It's maintained by the OWASP Foundation and designed for finding security vulnerabilities in web applications during development and testing.
+
+## Why ZAP?
+
+- **Free and open source**: No licensing costs, unlimited scans
+- **CI/CD native**: Docker images and CLI tools for automation
+- **Active development**: Regular updates, strong community support
+- **Extensible**: 100+ add-ons for specialized testing
+- **Multi-platform**: Windows, macOS, Linux, Docker
+
+## Installation
+
+### Docker (Recommended for CI/CD)
+
+```bash
+# Pull the stable image
+docker pull ghcr.io/zaproxy/zaproxy:stable
+
+# Run ZAP in daemon mode
+docker run -u zap -p 8080:8080 \
+ ghcr.io/zaproxy/zaproxy:stable zap.sh \
+ -daemon -host 0.0.0.0 -port 8080 \
+ -config api.addrs.addr.name=.* \
+ -config api.addrs.addr.regex=true
+```
+
+### Desktop (For Manual Testing)
+
+```bash
+# macOS (Homebrew)
+brew install --cask owasp-zap
+
+# Linux (snap)
+sudo snap install zaproxy --classic
+
+# Windows (Chocolatey)
+choco install zap
+```
+
+### CLI Scripts (For Automation)
+
+ZAP provides three automation-friendly Docker images:
+
+```bash
+# 1. Baseline Scan (Passive only - safe for production)
+docker run -v $(pwd):/zap/wrk/:rw \
+ ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
+ -t https://example.com -r report.html
+
+# 2. Full Scan (Active - use on staging only)
+docker run -v $(pwd):/zap/wrk/:rw \
+ ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
+ -t https://staging.example.com -r report.html
+
+# 3. API Scan (OpenAPI/GraphQL)
+docker run -v $(pwd):/zap/wrk/:rw \
+ ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
+ -t https://api.example.com/openapi.json \
+ -f openapi -r report.html
+```
+
+## ZAP Scan Types
+
+### 1. Baseline Scan (Passive)
+
+**When**: Safe for production, quick checks
+**Duration**: 1-5 minutes
+**Risk**: None
+
+```bash
+# Minimal scan with passive rules only
+zap-baseline.py -t https://example.com
+
+# With additional options
+zap-baseline.py \
+ -t https://example.com \
+ -r baseline-report.html \
+ -J baseline-report.json \
+ -w baseline-report.md
+```
+
+**Detects**:
+- Missing security headers
+- Insecure cookies
+- Information disclosure
+- Outdated libraries (banner grabbing)
+
+### 2. Full Scan (Active)
+
+**When**: Staging/test environments only
+**Duration**: 30 minutes to several hours
+**Risk**: High (sends attacks)
+
+```bash
+# Full active + passive scan
+zap-full-scan.py \
+ -t https://staging.example.com \
+ -r full-report.html \
+ -z "-config api.maxchildren=5"
+```
+
+**Detects**: All passive issues + active vulnerabilities (SQL injection, XSS, etc.)
+
+### 3. API Scan
+
+**When**: REST/GraphQL APIs
+**Duration**: 10-30 minutes
+**Risk**: Medium
+
+```bash
+# OpenAPI/Swagger
+zap-api-scan.py \
+ -t https://api.example.com/openapi.json \
+ -f openapi \
+ -r api-report.html
+
+# GraphQL
+zap-api-scan.py \
+ -t https://api.example.com/graphql \
+ -f graphql \
+ -r api-report.html
+```
+
+## Configuration
+
+### Authentication
+
+ZAP can authenticate to test protected endpoints:
+
+```python
+# auth_config.py
+from zapv2 import ZAPv2
+
+zap = ZAPv2(apikey='your-api-key')
+
+# Form-based authentication
+zap.authentication.set_authentication_method(
+ contextid=0,
+ authmethodname='formBasedAuthentication',
+ authmethodconfigparams='loginUrl=https://example.com/login&loginRequestData=username%3D%7B%25username%25%7D%26password%3D%7B%25password%25%7D'
+)
+
+# Set user credentials
+zap.users.new_user(contextid=0, name='testuser')
+zap.users.set_authentication_credentials(
+ contextid=0,
+ userid=0,
+ authcredentialsconfigparams='username=test@example.com&password=testpass'
+)
+```
+
+### Context File
+
+Define scan scope and authentication in a context file:
+
+```yaml
+# zap-context.yaml
+env:
+ contexts:
+ - name: "My App"
+ urls:
+ - "https://staging.example.com"
+ includePaths:
+ - "https://staging.example.com/.*"
+ excludePaths:
+ - "https://staging.example.com/logout"
+ authentication:
+ method: "form"
+ parameters:
+ loginUrl: "https://staging.example.com/login"
+ loginRequestData: "username={%username%}&password={%password%}"
+ verification:
+ method: "response"
+ loggedInRegex: "\\QWelcome\\E"
+ loggedOutRegex: "\\QLogin\\E"
+ users:
+ - name: "test_user"
+ credentials:
+ username: "test@example.com"
+ password: "testpass123"
+```
+
+Use it:
+
+```bash
+zap-full-scan.py \
+ -t https://staging.example.com \
+ -n zap-context.yaml \
+ -r report.html
+```
+
+### Custom Rules
+
+Disable noisy or irrelevant rules:
+
+```bash
+# Disable specific rules
+zap-full-scan.py \
+ -t https://staging.example.com \
+ -c "rules-config.tsv" \
+ -r report.html
+```
+
+**rules-config.tsv**:
+```
+10021 IGNORE (X-Content-Type-Options)
+10038 IGNORE (Content Security Policy)
+10055 FAIL (CSP Scanner)
+```
+
+## Reports
+
+ZAP supports multiple report formats:
+
+```bash
+zap-full-scan.py -t https://example.com \
+ -r report.html \
+ -J report.json \
+ -w report.md \
+ -x report.xml
+```
+
+**Format comparison**:
+- **HTML** (`-r`): Human-readable, good for manual review
+- **JSON** (`-J`): Machine-parsable, for CI/CD pipelines
+- **Markdown** (`-w`): Lightweight, for GitHub Issues/PRs
+- **XML** (`-x`): Enterprise tools integration
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: DAST Scan
+
+on:
+ push:
+ branches: [main]
+ pull_request:
+
+jobs:
+ zap_scan:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Start application
+ run: |
+ docker-compose up -d
+ sleep 30 # Wait for app to be ready
+
+ - name: ZAP Baseline Scan
+ uses: zaproxy/action-baseline@v0.10.0
+ with:
+ target: 'http://localhost:3000'
+ rules_file_name: '.zap/rules.tsv'
+ cmd_options: '-a'
+
+ - name: Upload ZAP Report
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: zap-report
+ path: report_html.html
+```
+
+### GitLab CI
+
+```yaml
+zap_scan:
+ stage: test
+ image: ghcr.io/zaproxy/zaproxy:stable
+ script:
+ - zap-baseline.py -t https://staging.example.com -r zap-report.html
+ artifacts:
+ when: always
+ paths:
+ - zap-report.html
+ expire_in: 1 week
+ allow_failure: true
+```
+
+### Jenkins
+
+```groovy
+pipeline {
+ agent any
+ stages {
+ stage('DAST Scan') {
+ steps {
+ script {
+ docker.image('ghcr.io/zaproxy/zaproxy:stable').inside {
+ sh 'zap-full-scan.py -t https://staging.example.com -r zap-report.html'
+ }
+ }
+ }
+ }
+ }
+ post {
+ always {
+ publishHTML([
+ reportDir: '.',
+ reportFiles: 'zap-report.html',
+ reportName: 'ZAP Security Report'
+ ])
+ }
+ }
+}
+```
+
+## Best Practices
+
+1. **Start with baseline scans** - Passive scanning is safe and fast
+2. **Use context files** - Define authentication and scope
+3. **Tune false positives** - Disable irrelevant rules for your stack
+4. **Fail builds on high/critical** - Use `-l FAIL` to set thresholds
+5. **Scan staging, not production** - Active scans can cause damage
+6. **Monitor scan duration** - Set timeouts to prevent infinite scans
+7. **Version control your ZAP configs** - Keep rules and context files in Git
+
+## Troubleshooting
+
+### Scan Takes Too Long
+
+```bash
+# Reduce threads
+zap-full-scan.py -t URL -z "-config api.maxchildren=2"
+
+# Set timeout
+zap-full-scan.py -t URL -m 30 # 30 minutes max
+```
+
+### Too Many False Positives
+
+```bash
+# Use confidence level
+zap-baseline.py -t URL -c rules.tsv
+
+# Ignore specific alerts
+echo "10021\tIGNORE" > rules.tsv
+```
+
+### Authentication Not Working
+
+Check ZAP logs:
+
+```bash
+docker run -v $(pwd):/zap/wrk/:rw \
+ ghcr.io/zaproxy/zaproxy:stable \
+ zap-full-scan.py -t URL -d
+```
+
+## Next Steps
+
+- **[Burp Suite](./03-burp-suite)** — Learn professional-grade manual testing
+- **[CI/CD Integration](./04-cicd-integration)** — Advanced automation patterns
diff --git a/content/guides/dast-integration/03-burp-suite.md b/content/guides/dast-integration/03-burp-suite.md
new file mode 100644
index 000000000..36870f4c4
--- /dev/null
+++ b/content/guides/dast-integration/03-burp-suite.md
@@ -0,0 +1,405 @@
+---
+title: 'Burp Suite'
+description: 'Master Burp Suite for professional security testing. Learn manual and automated scanning, API testing, and advanced penetration testing techniques.'
+---
+
+# Burp Suite
+
+Burp Suite is the industry-standard web application security testing tool used by professional penetration testers and security researchers. While OWASP ZAP excels at automation, Burp Suite shines in manual testing, advanced attack techniques, and deep vulnerability analysis.
+
+## Why Burp Suite?
+
+- **Industry standard**: Used by most professional pen testers
+- **Deep analysis**: Advanced scanner with low false positives
+- **Extensibility**: 500+ community extensions (BApps)
+- **Manual testing**: Full HTTP proxy with request/response manipulation
+- **Professional features**: Burp Collaborator, Intruder, Repeater, Scanner
+
+## Editions
+
+| Feature | Community (Free) | Professional ($449/year) | Enterprise (Custom) |
+|---------|-----------------|------------------------|--------------------|
+| **Proxy** | ✅ | ✅ | ✅ |
+| **Repeater** | ✅ | ✅ | ✅ |
+| **Intruder** | ⚠️ Limited | ✅ | ✅ |
+| **Scanner** | ❌ | ✅ | ✅ |
+| **Extensions** | ✅ | ✅ | ✅ |
+| **CI/CD Integration** | ❌ | CLI | REST API |
+| **Collaborator** | ❌ | ✅ | Private instance |
+
+**For this guide**: We'll cover both Community (free) and Professional features.
+
+## Installation
+
+### Desktop Application
+
+```bash
+# macOS
+brew install --cask burp-suite
+
+# Linux (Download JAR)
+wget https://portswigger.net/burp/releases/download -O burpsuite.jar
+java -jar burpsuite.jar
+
+# Windows (Installer)
+# Download from https://portswigger.net/burp/communitydownload
+```
+
+### Professional License
+
+```bash
+# Activate with license key
+java -jar burpsuite_pro.jar
+```
+
+## Core Tools
+
+### 1. Proxy
+
+Intercept and modify HTTP/HTTPS traffic between browser and server.
+
+**Setup**:
+
+```bash
+# 1. Configure Burp to listen on 127.0.0.1:8080
+# 2. Configure browser proxy settings:
+# HTTP Proxy: 127.0.0.1:8080
+# HTTPS Proxy: 127.0.0.1:8080
+# 3. Install Burp CA certificate (for HTTPS)
+# http://burp/cert
+```
+
+**Use cases**:
+- Inspect API requests/responses
+- Modify authentication tokens
+- Test parameter tampering
+- Analyze session management
+
+### 2. Repeater (Community + Pro)
+
+**What**: Manually modify and re-send requests
+**When**: Testing specific vulnerabilities, experimenting with payloads
+
+**Example**: Testing SQL Injection
+
+```http
+# Original request
+GET /api/users?id=1 HTTP/1.1
+Host: example.com
+
+# Test payload 1
+GET /api/users?id=1' OR '1'='1 HTTP/1.1
+Host: example.com
+
+# Test payload 2
+GET /api/users?id=1 UNION SELECT null,version(),null-- HTTP/1.1
+Host: example.com
+```
+
+### 3. Intruder (Pro)
+
+**What**: Automated attack tool for brute forcing, fuzzing, parameter discovery
+**When**: Testing multiple payloads against endpoints
+
+**Attack types**:
+
+```plaintext
+Sniper: Single position, one payload at a time
+ username=admin&password=§payload§
+
+Battering Ram: Multiple positions, same payload
+ username=§payload§&password=§payload§
+
+Pitchfork: Multiple positions, parallel payloads
+ username=§user§&password=§pass§
+
+Cluster Bomb: All combinations
+ username=§user§&password=§pass§
+```
+
+**Example**: Brute force login
+
+```http
+POST /login HTTP/1.1
+Host: example.com
+Content-Type: application/json
+
+{"username":"§admin§","password":"§pass§"}
+```
+
+Payloads:
+- Position 1: admin, root, user
+- Position 2: password123, admin123, test
+
+### 4. Scanner (Pro)
+
+**What**: Automated vulnerability scanner
+**When**: Comprehensive testing of applications
+
+**Scan types**:
+- **Passive**: Monitor traffic without attacks
+- **Active**: Send attack payloads to test vulnerabilities
+- **Live**: Continuously scan as you browse
+
+**Start a scan**:
+
+```plaintext
+1. Right-click on request in Proxy/Repeater
+2. Select "Scan" > "Active Scan"
+3. Configure scan insertion points and checks
+4. Review findings in "Dashboard"
+```
+
+### 5. Burp Collaborator (Pro)
+
+**What**: Out-of-band (OOB) vulnerability detection
+**When**: Testing blind vulnerabilities (SSRF, XXE, SQL injection)
+
+**How it works**:
+
+```bash
+# Burp Collaborator provides unique subdomain
+payload.burpcollaborator.net
+
+# Test SSRF
+GET /fetch?url=http://payload.burpcollaborator.net
+
+# If vulnerable, Burp Collaborator receives DNS/HTTP request
+# proving the application made external request
+```
+
+## Manual Testing Workflow
+
+### 1. Target Reconnaissance
+
+```plaintext
+1. Browse the application with Burp Proxy enabled
+2. Map out all endpoints in "Target" > "Site Map"
+3. Identify interesting parameters, cookies, headers
+4. Note authentication and session management
+```
+
+### 2. Parameter Analysis
+
+Test each parameter for common vulnerabilities:
+
+```http
+# Original
+GET /search?q=test&page=1
+
+# SQL Injection
+GET /search?q=test'&page=1
+
+# XSS
+GET /search?q=&page=1
+
+# Path Traversal
+GET /file?path=../../../../etc/passwd
+
+# IDOR
+GET /api/user/123 (try 124, 125, etc.)
+```
+
+### 3. Authentication Testing
+
+```plaintext
+# Test for:
+- Weak passwords
+- Username enumeration
+- Session fixation
+- Insufficient session timeout
+- Concurrent sessions allowed
+- JWT token manipulation
+```
+
+### 4. Authorization Testing
+
+```http
+# Test horizontal privilege escalation
+GET /api/user/1/profile (User A)
+GET /api/user/2/profile (Try accessing User B)
+
+# Test vertical privilege escalation
+GET /admin/users (Normal user token)
+```
+
+## API Testing
+
+### OpenAPI/Swagger
+
+```plaintext
+1. Import OpenAPI spec:
+ Target > Site Map > Right-click > "Import from OpenAPI definition"
+2. Review all endpoints in site map
+3. Send interesting requests to Repeater/Intruder
+```
+
+### GraphQL
+
+```graphql
+# Discover schema
+query IntrospectionQuery {
+ __schema {
+ types {
+ name
+ fields {
+ name
+ }
+ }
+ }
+}
+
+# Test injection
+query {
+ user(id: "1' OR '1'='1") {
+ name
+ email
+ }
+}
+```
+
+## Extensions (BApps)
+
+Popular extensions for enhanced functionality:
+
+### Must-Have Extensions
+
+```plaintext
+1. **Autorize** - Automated authorization testing
+2. **HUNT** - Identify common vulnerability parameters
+3. **JSON Web Tokens** - JWT manipulation
+4. **Param Miner** - Find hidden parameters
+5. **Turbo Intruder** - High-speed attacks
+6. **Active Scan++** - Additional scan checks
+7. **Software Vulnerability Scanner** - CVE detection
+```
+
+**Install**:
+```plaintext
+Extender > BApp Store > Select extension > Install
+```
+
+## CI/CD Integration (Pro)
+
+### Burp Suite CLI
+
+```bash
+# Professional edition includes CLI scanner
+java -jar burpsuite_pro.jar --project-file=project.burp \
+ --unpause-spider-and-scanner \
+ --config-file=config.json
+```
+
+**config.json**:
+
+```json
+{
+ "target": {
+ "scope": {
+ "include": [{"rule": "https://staging.example.com/.*"}]
+ }
+ },
+ "scanner": {
+ "scan_speed": "fast",
+ "scan_accuracy": "normal"
+ }
+}
+```
+
+### GitHub Actions
+
+```yaml
+name: Burp Suite Scan
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ burp_scan:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Run Burp Suite Scanner
+ env:
+ BURP_LICENSE: ${{ secrets.BURP_LICENSE }}
+ run: |
+ docker run -e BURP_LICENSE \
+ -v $(pwd):/config \
+ burpsuite/pro \
+ --project-file=/config/project.burp \
+ --config-file=/config/config.json
+
+ - name: Parse Results
+ run: |
+ python parse_burp_report.py report.xml
+```
+
+## Best Practices
+
+1. **Use target scope** - Prevent accidental testing of out-of-scope domains
+2. **Save your sessions** - Keep project files for reproducibility
+3. **Install extensions** - Enhance functionality with BApps
+4. **Learn keyboard shortcuts** - Speed up manual testing
+5. **Use Repeater liberally** - Test hypotheses before Intruder attacks
+6. **Review scanner findings manually** - Validate before reporting
+7. **Respect rate limits** - Don't DOS the application
+
+## Common Workflows
+
+### Workflow 1: Quick Assessment
+
+```plaintext
+1. Browse site with Proxy on (5-10 min)
+2. Run Active Scan on interesting endpoints (30 min)
+3. Review high/critical findings
+4. Manual validation in Repeater
+```
+
+### Workflow 2: Deep Dive
+
+```plaintext
+1. Full site crawl (Spider)
+2. Passive scan of all traffic
+3. Manual testing of authentication
+4. Active scan of key features
+5. Intruder attacks on identified parameters
+6. Collaborator-based OOB testing
+7. Extension-based specialized scans
+```
+
+### Workflow 3: API Security
+
+```plaintext
+1. Import OpenAPI spec
+2. Send all endpoints to Repeater
+3. Test authentication and authorization
+4. Intruder attacks on parameters
+5. JWT manipulation (with extension)
+6. Schema injection (GraphQL)
+```
+
+## Burp vs ZAP
+
+| Aspect | Burp Suite | OWASP ZAP |
+|--------|------------|----------|
+| **Cost** | $449/year (Pro) | Free |
+| **Best for** | Manual testing | Automation |
+| **CI/CD** | CLI (Pro) | Native Docker |
+| **Extensions** | 500+ (BApp Store) | 100+ |
+| **Learning curve** | Steeper | Gentler |
+| **Scanner quality** | Excellent (Pro) | Good |
+| **Community** | Large | Very large |
+
+**Recommendation**: Use both
+- **ZAP** for automated CI/CD scans
+- **Burp** for manual penetration testing
+
+## Next Steps
+
+- **[CI/CD Integration](./04-cicd-integration)** — Automate DAST in your pipeline
+- **Practice**: Try Burp Suite on intentionally vulnerable apps:
+ - DVWA (Damn Vulnerable Web Application)
+ - WebGoat (OWASP)
+ - PortSwigger Web Security Academy (free labs)
diff --git a/content/guides/dast-integration/04-cicd-integration.md b/content/guides/dast-integration/04-cicd-integration.md
new file mode 100644
index 000000000..d680b6515
--- /dev/null
+++ b/content/guides/dast-integration/04-cicd-integration.md
@@ -0,0 +1,515 @@
+---
+title: 'CI/CD Integration'
+description: 'Automate DAST scans in your CI/CD pipeline. Learn to implement security gates, handle findings, and integrate with GitHub Actions, GitLab CI, and Jenkins.'
+---
+
+# CI/CD Integration
+
+Automating DAST scans in your CI/CD pipeline catches security vulnerabilities before they reach production. This guide shows you how to integrate OWASP ZAP and Burp Suite into your deployment workflow with smart quality gates and failure policies.
+
+## Integration Strategy
+
+### When to Run DAST
+
+```plaintext
+Development → PR → Staging → Production
+ ↑ ↑
+ Passive Active
+ DAST DAST
+```
+
+- **Pull Requests**: Quick baseline scan (5-10 min)
+- **Staging Deploy**: Full active scan (30-60 min)
+- **Production**: Passive monitoring only
+
+### Scan Types by Environment
+
+| Environment | Scan Type | Duration | Risk | Purpose |
+|------------|-----------|----------|------|----------|
+| **PR** | ZAP Baseline | 5-10 min | None | Fast feedback |
+| **Staging** | ZAP Full Scan | 30-60 min | High | Comprehensive |
+| **Production** | ZAP Baseline | 5-10 min | None | Monitoring |
+| **Manual** | Burp Suite | Hours | High | Deep dive |
+
+## GitHub Actions
+
+### Basic ZAP Baseline Scan
+
+```yaml
+# .github/workflows/dast.yml
+name: DAST Scan
+
+on:
+ pull_request:
+ push:
+ branches: [main, develop]
+
+jobs:
+ zap_scan:
+ runs-on: ubuntu-latest
+ name: Security Scan
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Start Application
+ run: |
+ docker-compose up -d
+ # Wait for app to be ready
+ timeout 60 bash -c 'until curl -f http://localhost:3000/health; do sleep 2; done'
+
+ - name: ZAP Baseline Scan
+ uses: zaproxy/action-baseline@v0.10.0
+ with:
+ target: 'http://localhost:3000'
+ rules_file_name: '.zap/rules.tsv'
+ cmd_options: '-a' # Include pass/info alerts
+
+ - name: Upload ZAP Report
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: zap-scan-report
+ path: report_html.html
+```
+
+### Advanced ZAP Full Scan with Quality Gates
+
+```yaml
+name: DAST Full Scan
+
+on:
+ push:
+ branches: [main]
+
+jobs:
+ zap_full_scan:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Deploy to Staging
+ run: |
+ ./deploy-staging.sh
+ echo "STAGING_URL=https://staging.example.com" >> $GITHUB_ENV
+
+ - name: Run ZAP Full Scan
+ run: |
+ docker run -v $(pwd):/zap/wrk/:rw \
+ ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
+ -t ${{ env.STAGING_URL }} \
+ -r zap-report.html \
+ -J zap-report.json \
+ -w zap-report.md \
+ -z "-config api.maxchildren=5"
+
+ - name: Parse ZAP Results
+ id: zap_results
+ run: |
+ # Count severity levels
+ HIGH=$(jq '[.site[].alerts[] | select(.riskcode=="3")] | length' zap-report.json)
+ MEDIUM=$(jq '[.site[].alerts[] | select(.riskcode=="2")] | length' zap-report.json)
+ echo "high=$HIGH" >> $GITHUB_OUTPUT
+ echo "medium=$MEDIUM" >> $GITHUB_OUTPUT
+
+ - name: Quality Gate
+ if: steps.zap_results.outputs.high > 0
+ run: |
+ echo "::error::Found ${{ steps.zap_results.outputs.high }} high-severity vulnerabilities"
+ exit 1
+
+ - name: Comment PR with Results
+ if: always() && github.event_name == 'pull_request'
+ uses: actions/github-script@v7
+ with:
+ script: |
+ const fs = require('fs');
+ const report = fs.readFileSync('zap-report.md', 'utf8');
+ github.rest.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: `## DAST Scan Results\n\n${report}`
+ });
+
+ - name: Upload Reports
+ if: always()
+ uses: actions/upload-artifact@v4
+ with:
+ name: zap-reports
+ path: |
+ zap-report.html
+ zap-report.json
+ zap-report.md
+```
+
+### Authenticated Scanning
+
+```yaml
+- name: ZAP Scan with Authentication
+ run: |
+ # Create context file
+ cat > zap-context.yaml << 'EOL'
+ env:
+ contexts:
+ - name: "Staging App"
+ urls:
+ - "${{ env.STAGING_URL }}"
+ authentication:
+ method: "json"
+ parameters:
+ loginUrl: "${{ env.STAGING_URL }}/api/login"
+ loginRequestData: '{"username":"{%username%}","password":"{%password%}"}'
+ verification:
+ method: "response"
+ loggedInRegex: "\\Qtoken\\E"
+ users:
+ - name: "test_user"
+ credentials:
+ username: "${{ secrets.TEST_USERNAME }}"
+ password: "${{ secrets.TEST_PASSWORD }}"
+ EOL
+
+ docker run -v $(pwd):/zap/wrk/:rw \
+ ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
+ -t ${{ env.STAGING_URL }} \
+ -n zap-context.yaml \
+ -r zap-report.html
+```
+
+## GitLab CI
+
+### Basic Pipeline
+
+```yaml
+# .gitlab-ci.yml
+stages:
+ - test
+ - security
+ - deploy
+
+dast_scan:
+ stage: security
+ image: ghcr.io/zaproxy/zaproxy:stable
+ variables:
+ TARGET_URL: "https://staging.example.com"
+ script:
+ - zap-baseline.py -t $TARGET_URL -r gl-dast-report.html -J gl-dast-report.json
+ artifacts:
+ when: always
+ reports:
+ dast: gl-dast-report.json
+ paths:
+ - gl-dast-report.html
+ expire_in: 1 week
+ allow_failure: false
+ only:
+ - main
+ - develop
+```
+
+### GitLab DAST with Quality Gates
+
+```yaml
+dast_full_scan:
+ stage: security
+ image: ghcr.io/zaproxy/zaproxy:stable
+ before_script:
+ - apk add --no-cache jq
+ script:
+ # Run scan
+ - zap-full-scan.py -t $TARGET_URL -r report.html -J report.json || true
+
+ # Parse results
+ - HIGH=$(jq '[.site[].alerts[] | select(.riskcode=="3")] | length' report.json)
+ - MEDIUM=$(jq '[.site[].alerts[] | select(.riskcode=="2")] | length' report.json)
+
+ # Quality gate
+ - |
+ if [ $HIGH -gt 0 ]; then
+ echo "Found $HIGH high-severity vulnerabilities"
+ exit 1
+ fi
+ artifacts:
+ when: always
+ paths:
+ - report.html
+ - report.json
+ only:
+ - main
+```
+
+## Jenkins
+
+### Declarative Pipeline
+
+```groovy
+pipeline {
+ agent any
+
+ environment {
+ TARGET_URL = 'https://staging.example.com'
+ ZAP_IMAGE = 'ghcr.io/zaproxy/zaproxy:stable'
+ }
+
+ stages {
+ stage('Deploy to Staging') {
+ steps {
+ sh './deploy-staging.sh'
+ }
+ }
+
+ stage('DAST Scan') {
+ steps {
+ script {
+ docker.image(env.ZAP_IMAGE).inside('-v $WORKSPACE:/zap/wrk:rw') {
+ sh '''
+ zap-full-scan.py \
+ -t ${TARGET_URL} \
+ -r zap-report.html \
+ -J zap-report.json
+ '''
+ }
+ }
+ }
+ }
+
+ stage('Parse Results') {
+ steps {
+ script {
+ def report = readJSON file: 'zap-report.json'
+ def highAlerts = report.site[0].alerts.findAll { it.riskcode == '3' }.size()
+
+ if (highAlerts > 0) {
+ error("Found ${highAlerts} high-severity vulnerabilities")
+ }
+ }
+ }
+ }
+ }
+
+ post {
+ always {
+ publishHTML([
+ reportDir: '.',
+ reportFiles: 'zap-report.html',
+ reportName: 'DAST Security Report'
+ ])
+ }
+ }
+}
+```
+
+## Quality Gates
+
+### Severity-Based Thresholds
+
+```bash
+#!/bin/bash
+# parse-zap-results.sh
+
+REPORT="zap-report.json"
+
+# Count by severity
+CRITICAL=$(jq '[.site[].alerts[] | select(.riskcode=="3" and .confidence=="3")] | length' $REPORT)
+HIGH=$(jq '[.site[].alerts[] | select(.riskcode=="3")] | length' $REPORT)
+MEDIUM=$(jq '[.site[].alerts[] | select(.riskcode=="2")] | length' $REPORT)
+
+echo "Critical: $CRITICAL"
+echo "High: $HIGH"
+echo "Medium: $MEDIUM"
+
+# Set thresholds
+if [ $CRITICAL -gt 0 ]; then
+ echo "::error::Found $CRITICAL critical vulnerabilities"
+ exit 1
+elif [ $HIGH -gt 5 ]; then
+ echo "::error::Found $HIGH high-severity vulnerabilities (threshold: 5)"
+ exit 1
+elif [ $MEDIUM -gt 20 ]; then
+ echo "::warning::Found $MEDIUM medium-severity vulnerabilities (threshold: 20)"
+ # Don't fail, just warn
+fi
+
+echo "Security scan passed"
+```
+
+### CWE-Based Filtering
+
+```bash
+#!/bin/bash
+# Fail only on specific vulnerability types
+
+BLOCKLIST=("89" "79" "22" "78") # SQL Injection, XSS, Path Traversal, OS Command Injection
+
+for CWE in "${BLOCKLIST[@]}"; do
+ COUNT=$(jq "[.site[].alerts[] | select(.cweid==\"$CWE\")] | length" zap-report.json)
+ if [ $COUNT -gt 0 ]; then
+ echo "::error::Found $COUNT instances of CWE-$CWE"
+ exit 1
+ fi
+done
+```
+
+## Handling False Positives
+
+### ZAP Rules Configuration
+
+```tsv
+# .zap/rules.tsv
+# Format: RULE_ID ACTION (IGNORE|WARN|FAIL)
+
+# Ignore informational alerts
+10021 IGNORE (X-Content-Type-Options Header Missing)
+10020 IGNORE (X-Frame-Options Header Missing)
+
+# Warn on medium severity
+10055 WARN (CSP: Wildcard Directive)
+
+# Fail on high/critical
+40012 FAIL (Cross Site Scripting)
+40018 FAIL (SQL Injection)
+```
+
+Use it:
+
+```yaml
+- name: ZAP Scan
+ uses: zaproxy/action-baseline@v0.10.0
+ with:
+ target: ${{ env.TARGET_URL }}
+ rules_file_name: '.zap/rules.tsv'
+```
+
+### Context-Based Exclusions
+
+```yaml
+# zap-context.yaml
+env:
+ contexts:
+ - name: "My App"
+ urls:
+ - "https://staging.example.com"
+ excludePaths:
+ - ".*/logout.*"
+ - ".*/static/.*"
+ - ".*/health.*"
+ technology:
+ exclude:
+ - "PHP" # We don't use PHP
+```
+
+## Best Practices
+
+1. **Start passive, then active**
+ - Begin with baseline scans on PRs
+ - Add full scans on staging deploys
+ - Never active scan production
+
+2. **Use quality gates wisely**
+ - Block critical/high vulnerabilities
+ - Warn on medium
+ - Ignore low/informational initially
+
+3. **Tune your scans**
+ - Disable irrelevant checks for your stack
+ - Add authentication for better coverage
+ - Exclude logout and destructive endpoints
+
+4. **Make reports visible**
+ - Upload HTML reports as artifacts
+ - Comment on PRs with findings
+ - Track metrics over time
+
+5. **Set realistic timeouts**
+ ```yaml
+ - name: ZAP Scan
+ timeout-minutes: 60 # Prevent hanging
+ ```
+
+6. **Cache ZAP Docker images**
+ ```yaml
+ - name: Pull ZAP image
+ run: docker pull ghcr.io/zaproxy/zaproxy:stable
+ ```
+
+7. **Run parallel scans**
+ - Scan multiple microservices concurrently
+ - Use GitHub Actions matrix strategy
+
+## Monitoring and Metrics
+
+### Track Over Time
+
+```bash
+#!/bin/bash
+# Store metrics in time-series database
+
+HIGH=$(jq '[.site[].alerts[] | select(.riskcode=="3")] | length' zap-report.json)
+MEDIUM=$(jq '[.site[].alerts[] | select(.riskcode=="2")] | length' zap-report.json)
+
+# Send to monitoring system
+curl -X POST https://metrics.example.com/dast \
+ -d "high=$HIGH&medium=$MEDIUM×tamp=$(date +%s)"
+```
+
+### Grafana Dashboard
+
+Create dashboards tracking:
+- Vulnerabilities over time (by severity)
+- Mean time to remediate (MTTR)
+- Scan duration trends
+- False positive rate
+
+## Troubleshooting
+
+### Scan Takes Too Long
+
+```yaml
+# Reduce threads
+-z "-config api.maxchildren=2"
+
+# Set timeout
+-m 30 # 30 minutes max
+
+# Limit scope
+-n context.yaml # Only scan specific paths
+```
+
+### Out of Memory
+
+```yaml
+# Increase Docker memory
+docker run -m 4g ghcr.io/zaproxy/zaproxy:stable ...
+
+# Or use ZAP options
+-z "-config scanner.threadPerHost=1"
+```
+
+### Authentication Fails
+
+```bash
+# Enable debug mode
+zap-full-scan.py -t URL -d
+
+# Check logs
+docker logs
+```
+
+## Next Steps
+
+1. **Implement baseline scans** on all PRs
+2. **Add full scans** to staging deployments
+3. **Set up quality gates** based on your risk tolerance
+4. **Track metrics** to measure improvement
+5. **Iterate on tuning** to reduce false positives
+
+---
+
+**Congratulations!** You now have a comprehensive DAST strategy. Remember:
+- DAST is one layer of defense
+- Combine with SAST, dependency scanning, and IaC security
+- Continuous improvement: tune scans based on findings
+- Security is a journey, not a destination
diff --git a/content/guides/dast-integration/index.md b/content/guides/dast-integration/index.md
new file mode 100644
index 000000000..6b26da825
--- /dev/null
+++ b/content/guides/dast-integration/index.md
@@ -0,0 +1,101 @@
+---
+title: 'DAST Integration'
+description: 'Master Dynamic Application Security Testing with OWASP ZAP and Burp Suite. Learn to identify runtime vulnerabilities, integrate DAST into CI/CD, and secure live applications.'
+category:
+ name: 'Security'
+ slug: 'security'
+publishedAt: '2025-01-24'
+updatedAt: '2025-01-24'
+author:
+ name: 'DevOps Daily Team'
+ slug: 'devops-daily-team'
+tags:
+ - Security
+ - DevSecOps
+ - DAST
+ - OWASP ZAP
+ - Burp Suite
+ - Penetration Testing
+---
+
+Dynamic Application Security Testing (DAST) finds security vulnerabilities by testing your running application from the outside—just like an attacker would. Unlike static analysis that examines code, DAST interacts with your live application to discover runtime issues like SQL injection, XSS, authentication flaws, and misconfigurations.
+
+This guide teaches you how to integrate industry-standard DAST tools into your DevSecOps pipeline, catching vulnerabilities before they reach production.
+
+## Why DAST Matters
+
+DAST complements other security testing approaches:
+
+- **Runtime vulnerabilities** — Finds issues that only appear when the app is running (authentication bypass, session management flaws)
+- **Configuration issues** — Detects misconfigurations in servers, frameworks, and dependencies
+- **Business logic flaws** — Identifies workflow vulnerabilities that static analysis misses
+- **Third-party components** — Tests the entire stack, including libraries and frameworks
+
+Real-world impact:
+
+- **Capital One breach (2019)** — SSRF vulnerability in web application firewall allowed access to 100M+ records
+- **British Airways (2018)** — XSS vulnerability led to £183M GDPR fine
+- **Heartbleed (2014)** — Runtime vulnerability in OpenSSL affected millions of servers
+
+## What You'll Learn
+
+This guide covers essential DAST tools and techniques:
+
+1. **[DAST Fundamentals](./01-fundamentals)** — How DAST works, scan types, and when to use it
+2. **[OWASP ZAP](./02-owasp-zap)** — Free, open-source scanner with automation and CI/CD integration
+3. **[Burp Suite](./03-burp-suite)** — Professional-grade tool for advanced security testing
+4. **[CI/CD Integration](./04-cicd-integration)** — Automate DAST scans in your pipeline with quality gates
+
+## Quick Comparison
+
+| Tool | Type | Automation | CI/CD | Best For | Cost |
+|------|------|------------|-------|----------|------|
+| OWASP ZAP | Active/Passive | Excellent | Native | Automation, CI/CD | Free |
+| Burp Suite Pro | Active/Passive | Good | API-based | Manual testing, advanced | $449/year |
+| Nuclei | Active | Excellent | CLI-friendly | Fast scans, custom templates | Free |
+| Arachni | Active | Good | CLI-friendly | Web apps, distributed scans | Free |
+
+## DAST vs SAST vs IAST
+
+| Aspect | SAST (Static) | DAST (Dynamic) | IAST (Interactive) |
+|--------|---------------|----------------|--------------------|
+| **Testing approach** | Analyzes source code | Tests running app | Monitors app from inside |
+| **When to run** | During development | Against deployed app | During testing |
+| **False positives** | High | Medium | Low |
+| **Coverage** | Code paths | Exposed endpoints | Executed code paths |
+| **Speed** | Fast | Slow | Medium |
+| **Best for** | Early detection | Production-like testing | Comprehensive coverage |
+
+**Use all three** for defense in depth: SAST catches issues early, DAST validates runtime security, IAST reduces false positives.
+
+## Prerequisites
+
+Before starting, you should:
+
+- Understand web application fundamentals (HTTP, REST APIs, authentication)
+- Have basic knowledge of common vulnerabilities (OWASP Top 10)
+- Have a test application to scan (never scan production without permission)
+- Basic CI/CD and Docker knowledge for automation
+
+## Time Investment
+
+- **Quick start**: 1 hour (run your first ZAP scan)
+- **Full implementation**: 4-6 hours (CI/CD integration + policies)
+- **Mastery**: 2-3 weeks (advanced techniques, custom rules, vulnerability triage)
+
+## Security Warning
+
+⚠️ **Important**: DAST tools perform real attacks against applications. Always:
+
+- Get written permission before scanning any application
+- Only scan applications you own or have authorization to test
+- Use non-production environments when possible
+- Be aware that scans can cause:
+ - High server load
+ - Database changes (if testing write operations)
+ - Triggered security alerts and rate limits
+ - Accidental data modification or deletion
+
+---
+
+Ready to start? Begin with [DAST Fundamentals](./01-fundamentals) to understand how dynamic testing works.