Black Duck Web Scanner (formerly Synopsys Web Scanner) is an enterprise-grade dynamic application security testing (DAST) solution that identifies vulnerabilities in running web applications.

Part of the Polaris Software Integrity Platform, the scanner uses advanced techniques to discover security weaknesses that could be exploited by attackers.

What is Black Duck Web Scanner?

Black Duck Web Scanner performs automated security testing of web applications by simulating attacks against live or staging environments.

The tool crawls applications using a headless browser engine capable of executing JavaScript and handling modern single-page applications (SPAs), then executes attack payloads to identify vulnerabilities.

The scanner operates as part of the broader Polaris platform, which provides unified application security testing across SAST, SCA, and DAST capabilities.

This integration enables organizations to correlate findings across testing methodologies and maintain comprehensive security visibility throughout the software development lifecycle.

Key Features

Proof-Based Vulnerability Detection

Unlike traditional DAST tools that rely solely on signature matching, Black Duck Web Scanner provides proof of exploitability for discovered vulnerabilities.

When the scanner identifies a potential issue, it attempts to confirm the vulnerability is genuine and demonstrates how it could be exploited.

This approach significantly reduces false positives and helps teams prioritize remediation efforts.

Modern Application Support

The scanner’s headless browser engine handles modern web technologies effectively:

JavaScript Execution: Full JavaScript rendering for SPAs and dynamic content
AJAX Analysis: Intercepts and tests asynchronous API calls
Authentication Handling: Supports form-based login, OAuth, SSO, and custom authentication
Session Management: Maintains authentication state throughout scans

Comprehensive Vulnerability Coverage

Black Duck Web Scanner tests for a wide range of security weaknesses:

OWASP Top 10 web application risks
SQL injection (error-based, blind, time-based)
Cross-site scripting (reflected, stored, DOM-based)
XML external entity (XXE) injection
Server-side request forgery (SSRF)
Insecure deserialization
Security misconfiguration
Sensitive data exposure

API Security Testing

The scanner includes dedicated capabilities for API security:

REST API endpoint discovery and testing
GraphQL query analysis
OpenAPI/Swagger specification import
API authentication testing
Rate limiting and access control verification

Polaris Platform Integration

Black Duck Web Scanner integrates with the Polaris Software Integrity Platform, providing:

Unified Dashboard

All security findings from SAST, SCA, and DAST appear in a single dashboard.

Security teams can track vulnerabilities across the entire application portfolio and development lifecycle.

Correlated Findings

The platform correlates findings across testing methodologies.

When SAST identifies a potential vulnerability pattern and DAST confirms it’s exploitable, teams gain higher confidence in prioritization.

Policy Enforcement

Organizations can define security policies that span testing types.

For example, requiring no high-severity DAST findings before production deployment while allowing medium-severity issues with mitigation plans.

Installation and Configuration

Black Duck Web Scanner is deployed as part of the Polaris platform or as a standalone scanner.

Polaris Cloud

For cloud deployments, access the scanner through the Polaris web interface:

Log in to your Polaris organization
Navigate to Projects and select your application
Configure DAST scanning settings
Provide target URL and authentication details
Run scans on-demand or schedule recurring assessments

On-Premises Deployment

For on-premises installations:

# Download and extract the scanner package
tar -xzf blackduck-webscanner-<version>.tar.gz

# Configure the scanner
./configure --polaris-url=https://polaris.yourcompany.com \
            --polaris-token=$POLARIS_TOKEN

# Start the scanning service
./start-scanner.sh

CLI Usage

The scanner provides command-line capabilities for automation:

# Run a basic scan
polaris-scan dast \
  --project-name "my-application" \
  --target-url "https://staging.example.com" \
  --auth-type form \
  --login-url "https://staging.example.com/login" \
  --username "testuser" \
  --password "testpass"

# Scan with API specification
polaris-scan dast \
  --project-name "my-api" \
  --target-url "https://api.example.com" \
  --openapi-spec "./openapi.yaml"

# Generate report
polaris-scan report \
  --project-name "my-application" \
  --format pdf \
  --output ./dast-report.pdf

CI/CD Integration

GitHub Actions

name: Black Duck DAST Scan
on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  dast-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Deploy to Staging
        run: |
          # Your deployment steps here
          echo "Deploying to staging environment..."

      - name: Run Black Duck Web Scanner
        uses: blackducksoftware/polaris-action@v1
        with:
          polaris-url: ${{ secrets.POLARIS_URL }}
          polaris-token: ${{ secrets.POLARIS_TOKEN }}
          scan-type: dast
          target-url: ${{ vars.STAGING_URL }}

      - name: Check for Critical Findings
        run: |
          polaris-cli findings \
            --project-name ${{ github.repository }} \
            --severity critical,high \
            --fail-on-findings

GitLab CI

blackduck-dast:
  stage: security
  image: blackducksoftware/polaris-cli:latest
  variables:
    POLARIS_URL: $POLARIS_URL
    POLARIS_TOKEN: $POLARIS_TOKEN
  script:
    - polaris-scan dast
        --project-name $CI_PROJECT_NAME
        --target-url $STAGING_URL
        --wait-for-completion
    - polaris-cli findings
        --project-name $CI_PROJECT_NAME
        --format json > gl-dast-report.json
  artifacts:
    reports:
      dast: gl-dast-report.json
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Azure DevOps

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

variables:
  - group: polaris-credentials

steps:
  - task: DownloadPolarisScanner@1
    inputs:
      polarisUrl: $(POLARIS_URL)
      polarisToken: $(POLARIS_TOKEN)

  - script: |
      polaris-scan dast \
        --project-name $(Build.Repository.Name) \
        --target-url $(STAGING_URL) \
        --wait-for-completion
    displayName: 'Run DAST Scan'

  - task: PublishSecurityAnalysisLogs@3
    inputs:
      ArtifactName: 'DASTResults'

When to Use Black Duck Web Scanner

Black Duck Web Scanner is well-suited for:

Enterprise environments: Organizations with large application portfolios benefit from centralized management and consistent policies
Unified security programs: Teams already using Polaris for SAST or SCA get seamless DAST integration
Compliance requirements: The scanner supports compliance mapping and audit-ready reporting
Modern web applications: Strong support for JavaScript-heavy SPAs and API-based architectures

Consider alternatives if you need:

Open-source solution: OWASP ZAP provides capable free DAST
Quick deployment: Cloud-native competitors may offer faster time-to-value
Standalone DAST: Single-purpose tools may be simpler for focused use cases

History

The web scanner was originally developed by Synopsys as part of their Software Integrity Group.

In 2024, Synopsys divested the Software Integrity Group to private equity firms Clearlake Capital and Francisco Partners, with the products rebranded under Black Duck Software.

The scanner continues to receive updates and support under the new ownership.

Note: Formerly Synopsys Web Scanner. Synopsys sold Software Integrity Group to Clearlake Capital and Francisco Partners in 2024, now operating as Black Duck Software.