Free, open-source dynamic application security testing (DAST) action for your GitHub repositories. No account, API key, or registration required.
Create a YAML configuration file anywhere in your repository. For example, .github/dast-config.yaml:
language: EN
strict: false
output:
file_path: results-dast.sarif
format: SARIF
dast:
urls:
- url: https://www.myapp.com
- url: https://www.myapp.com/apiAdd .github/workflows/fa-dast.yml to your repository:
name: DAST
on:
push:
pull_request:
types: [opened, synchronize, reopened]
schedule:
- cron: '0 8 * * 1' # optional: weekly scan every Monday at 8am
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: fluidattacks/dast-action@<version>
id: scan
with:
scan_config_path: .github/dast-config.yamlReplace <version> with the latest release tag. Find it on the Marketplace page.
- The target application must be publicly reachable or accessible from the runner when the workflow runs.
Commit both files and push. The scan runs automatically on the next push or pull request.
- A GitHub repository (public or private).
- GitHub Actions enabled on the repository.
- A Linux runner (
ubuntu-latestor equivalent) — the action requires Docker, which is only available on Linux-hosted runners. - No account, token, or API key is needed. The action is 100% open source.
The scan_config_path input is required. The action fails immediately if the file does not exist at the given path.
dast:
urls:
# URLs to scan
- url: https://www.endpoint1.com
- url: https://www.endpoint2.com
output:
file_path: results.sarif
format: SARIFlanguage— language for vulnerability descriptions in the output (ENfor English,ESfor Spanish).strict— whenfalse, the scanner reports findings but does not fail the pipeline. Set totrueto break the build on any detected vulnerability.output.file_path— path where results are written. When format isSARIF, this path is also exposed as thesarif_fileaction output.output.format—SARIFproduces the standard format. UseCSVfor a spreadsheet-friendly report.dast.urls— list of URLs the scanner will probe. The target application must be running and reachable from the GitHub Actions runner.
| Input | Required | Default | Description |
|---|---|---|---|
scan_config_path |
Yes | — | Path to the YAML configuration file, relative to the repository root. The job fails if the file does not exist at the given path. |
| Output | Description |
|---|---|
sarif_file |
Path to the SARIF results file (only set when output.format is SARIF) |
vulnerabilities_found |
true if any vulnerabilities were detected, false otherwise |
You can use these outputs in subsequent workflow steps:
- name: Comment on PR
if: steps.scan.outputs.vulnerabilities_found == 'true'
run: echo "Vulnerabilities detected — check the Security tab."on:
pull_request:
types: [opened, synchronize, reopened]Point the URL in your config file to a staging environment that is deployed as part of the PR workflow.
Set strict: true in your configuration file and enable Require status checks to pass before merging in your repository's branch protection settings.
strict: trueoutput:
file_path: results-dast.csv
format: CSVDAST findings cannot be uploaded to the GitHub Security tab. GitHub's code scanning API requires each vulnerability to reference a specific file and line number, which does not apply to web application vulnerabilities detected at runtime.
To review DAST results, use the output file produced by the scanner. Set output.format: SARIF or CSV in your config file and read the file as a workflow artifact.
The GitHub Actions runner must have network access to the URLs configured in dast.urls. Private or internal URLs require a self-hosted runner on the same network.
If strict: true is set, the pipeline fails whenever vulnerabilities are found. Set strict: false to report findings without failing the pipeline.
The path provided to scan_config_path does not exist in the repository. Verify the path is correct and relative to the repository root.