Dastardly, from Burp Suite – PortSwigger


Dastardly is a free and lightweight web application security scanner for your CI/CD pipeline. It’s designed specifically for web developers and checks your application for seven security issues you might be interested in when developing software. Dastardly is based on the same scanner as Burp Suite (Burp Scanner).


Datardly requires minimal setup. When running a Dastardly scan, all you have to do is provide the starting URL you want to scan. The starting URL is the point from which Dastardly crawls your target web application. From there, Dastardly analyzes all URLs it finds below the starting URL in the hierarchy.


Dastardly uses dynamic methodology (DAST) to analyze your target web application. It scans your target application in a deployed state. This is different from static analysis (SAST), which examines application code before it is deployed.

Vile scans are limited to ten minutes. Note that this may not be enough to get full coverage of larger or more complex web applications. Burp Suite Enterprise Edition and Burp Suite Professional are both capable of scanning without this limitation.


Dastardly produces its analysis reports in JUnit XML format. Issues found by Dastardly are accompanied by detailed remediation advice and evidence in the form of the request sent by Dastardly to produce the issue, as well as the response sent by the application.

Integrating Dastardly with your existing CI/CD platform

Despicable system requirements

  • We recommend running Dastardly on a machine with at least 4 CPU cores and 4 GB of RAM. While this should be fine for most use cases, larger or more complex target applications may require more resources.

  • Your agent or CI/CD build node must be configured to run Docker containers.

  • The CI/CD build agent or the node that Docker is running on must be able to access the PortSwigger public image repository (public.ecr.aws/portswigger/) as well as the target application you want to analyze.

Despicable troubleshooting

PortSwigger takes care of all the issues you might encounter while scanning apps using Dastardly. We do not provide support for issues involving your CI/CD platform, or Dastardly’s integration with that platform.

If you have any problem with a Dastardly scan, please see our user forum and/or consult the Dastardly FAQ.

Comments are closed.