Dastardly is a free, lightweight DAST scanner from PortSwigger designed specifically for CI/CD pipelines.
Built on the same scanning engine that powers Burp Suite Professional, it delivers high-confidence vulnerability detection with minimal false positives in under 10 minutes.
What is Dastardly?
Dastardly is PortSwigger’s answer to a common challenge: how do you add dynamic security testing to build pipelines without slowing down releases or drowning developers in false positives?
The tool runs as a Docker container, scans a target URL, and produces JUnit XML output that integrates with any CI system.
Unlike full DAST scanners that can run for hours, Dastardly enforces a 10-minute maximum scan time.
It focuses on finding a curated set of high-confidence vulnerabilities rather than attempting comprehensive coverage.
This trade-off makes it practical for shift-left security where fast feedback is essential.
The scanner is completely free with no usage limits, authentication requirements, or hidden tiers.
PortSwigger positions it as an on-ramp to their commercial Burp Suite Enterprise product for teams that need deeper scanning capabilities.
Key Features
Burp Scanner Engine
Dastardly uses the same scanning engine that powers Burp Suite Professional, meaning it benefits from PortSwigger’s decades of web security research.
The detection logic has been refined through extensive real-world testing and the annual Web Security Academy research program.
Vulnerability Coverage
The scanner checks for a focused set of critical vulnerabilities:
- Reflected cross-site scripting (XSS)
- Cross-origin resource sharing (CORS) misconfigurations
- Vulnerable JavaScript dependencies
- Content-type mismatches
- Path traversal vulnerabilities
This limited scope is intentional.
Dastardly prioritizes accuracy over breadth, ensuring that reported issues are genuine problems worth fixing.
JUnit XML Output
Scan results are produced in JUnit XML format, the de facto standard for test results in CI/CD systems.
This format works natively with Jenkins, GitLab CI, GitHub Actions, CircleCI, and virtually every other build system.
Zero Configuration
Dastardly requires no configuration files, API keys, or setup beyond providing a target URL.
The Docker container handles everything:
docker run --rm dastardly \
-t https://your-target.com
10-Minute Scan Cap
Every scan completes within 10 minutes regardless of site size.
This hard limit ensures that security testing does not become a bottleneck in the build process.
For larger applications requiring deeper analysis, PortSwigger recommends Burp Suite Enterprise.
Installation
Dastardly runs as a Docker container with no local installation required:
# Pull the official image
docker pull public.ecr.aws/portswigger/dastardly:latest
# Run a scan
docker run --rm \
-v $(pwd):/dastardly \
public.ecr.aws/portswigger/dastardly:latest \
--target-url https://your-app.example.com \
--output-file /dastardly/dastardly-report.xml
The -v mount makes the output file available on your host system after the container exits.
CI/CD Integration
GitHub Actions
Add Dastardly to your GitHub Actions workflow:
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
dast:
runs-on: ubuntu-latest
steps:
- name: Run Dastardly Scan
uses: PortSwigger/dastardly-github-action@main
with:
target-url: 'https://staging.example.com'
- name: Upload Report
if: always()
uses: actions/upload-artifact@v4
with:
name: dastardly-report
path: dastardly-report.xml
- name: Publish Test Results
uses: dorny/test-reporter@v1
if: always()
with:
name: DAST Results
path: dastardly-report.xml
reporter: java-junit
GitLab CI
Integrate Dastardly into your GitLab pipeline:
dast:
stage: test
image: public.ecr.aws/portswigger/dastardly:latest
script:
- /dastardly/dastardly.sh \
--target-url "$STAGING_URL" \
--output-file gl-dast-report.xml
artifacts:
reports:
junit: gl-dast-report.xml
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
Jenkins
Add a Dastardly stage to your Jenkinsfile:
pipeline {
agent any
stages {
stage('DAST Scan') {
steps {
script {
docker.image('public.ecr.aws/portswigger/dastardly:latest').inside {
sh '''
/dastardly/dastardly.sh \
--target-url "${STAGING_URL}" \
--output-file dastardly-report.xml
'''
}
}
junit 'dastardly-report.xml'
}
}
}
}
Azure DevOps
Configure Dastardly in your Azure pipeline:
stages:
- stage: Security
jobs:
- job: DAST
pool:
vmImage: 'ubuntu-latest'
container: public.ecr.aws/portswigger/dastardly:latest
steps:
- script: |
/dastardly/dastardly.sh \
--target-url "$(stagingUrl)" \
--output-file $(Build.ArtifactStagingDirectory)/dast-results.xml
displayName: 'Run Dastardly'
- task: PublishTestResults@2
inputs:
testResultsFormat: 'JUnit'
testResultsFiles: '$(Build.ArtifactStagingDirectory)/dast-results.xml'
testRunTitle: 'DAST Security Results'
When to Use Dastardly
Dastardly excels as a fast security gate in CI/CD pipelines.
Its speed and low false positive rate make it suitable for running on every pull request without frustrating developers with noise.
Consider Dastardly when you need:
- Free DAST scanning with no vendor lock-in
- Fast feedback in CI/CD pipelines (under 10 minutes)
- High-confidence findings with minimal false positives
- JUnit XML output for standard CI/CD integration
- Zero-configuration deployment via Docker
- A stepping stone before investing in commercial DAST
Dastardly is not suitable for comprehensive security assessments, authenticated scanning of complex applications, or replacing manual penetration testing.
For those use cases, consider Burp Suite Professional for manual testing or Burp Suite Enterprise for automated scanning.