DAST action

Last updated: Apr 21, 2026

The DAST action runs Fluid Attacks' dynamic application security testing scanner in your GitHub Actions workflows, detecting vulnerabilities in your live web application by actively probing the URLs you configure.

Marketplace: fluidattacks/dast-action

Setup

1. Create the configuration file

Create a YAML configuration file anywhere in your repository. For example, .github/dast-config.yaml:

language: EN
strict: false
output:
  file_path: results-dast.sarif
  format: SARIF
dast:
  urls:
    - url: https://www.myapp.com
    - url: https://www.myapp.com/api

• language — language for vulnerability descriptions in the output (EN for English, ES for Spanish).
• strict — when false, the scanner reports findings but does not fail the pipeline. Set to true to break the build on any detected vulnerability.
• output.file_path — path where results are written. When format is SARIF, this path is also exposed as the sarif_file action output.
• output.format — SARIF produces the standard format consumed by GitHub's code scanning API. Use CSV for a spreadsheet-friendly report.
• dast.urls — list of URLs the scanner will probe. The target application must be running and reachable from the GitHub Actions runner.

2. Create the workflow

Add .github/workflows/dast.yml to your repository:

name: DAST
on:
  push:
  pull_request:
    types: [opened, synchronize, reopened]
  schedule:
    - cron: "0 8 * * 1" # optional: weekly scan every Monday at 8am

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: fluidattacks/dast-action@<version>
        id: scan
        with:
          scan_config_path: .github/dast-config.yaml

Replace <version> with the latest release tag. Find it on the Marketplace page.

• The target application must be publicly reachable or accessible from the runner when the workflow runs.

3. Push and run

Commit both files and push. The scan runs automatically on the next push or pull request.

Action inputs

Action outputs

You can use these outputs in subsequent workflow steps:

- name: Comment on PR
  if: steps.scan.outputs.vulnerabilities_found == 'true'
  run: echo "Vulnerabilities detected — check the Security tab."

Common scenarios

Scan a staging environment on pull requests only

on:
  pull_request:
    types: [opened, synchronize, reopened]

Point the URL in your configuration file to a staging environment that is deployed as part of the PR workflow.

Strict mode: block merges with vulnerabilities

Set strict: true in your configuration file and enable Require status checks to pass before merging in your repository's branch protection settings.

strict: true

Export results as CSV

output:
  file_path: results-dast.csv
  format: CSV

Troubleshooting

No results appear in the Security tab

DAST findings cannot be uploaded to the GitHub Security tab. GitHub's code scanning API requires each vulnerability to reference a specific file and line number, which does not apply to web application vulnerabilities detected at runtime.

To review DAST results, use the output file produced by the scanner. Set output.format: SARIF or CSV in your configuration file and read the file as a workflow artifact, or pipe it to a reporting tool of your choice.

The scanner cannot reach the target URL

The GitHub Actions runner must have network access to the URLs configured in dast.urls. Private or internal URLs require a self-hosted runner on the same network.

The pipeline fails unexpectedly

If strict: true is set, the pipeline fails whenever vulnerabilities are found. Set strict: false to report findings without failing the pipeline.

The job fails with "not found in repository"

The path provided to scan_config_path does not exist in the repository. Verify the path is correct and relative to the repository root.

See the Marketplace page for all configuration options and additional troubleshooting.