qa-dast
DAST (dynamic application security testing): 6 skills (burp-headless, dast-baseline-runner, nightvision-dast, nuclei-dast, zap-authenticated-scans, zap-baseline) and 1 agent (dast-finding-triager). Sister to qa-sast for runtime vulnerabilities. Every scanner skill includes a mandatory False-positive triage section.
Install this plugin
/plugin install qa-dast@testland-qaPart of role bundle: qa-role-security
qa-dast
DAST (dynamic application security testing). Three per-tool skill wrappers (OWASP ZAP, Burp Suite Pro/Enterprise, NightVision) plus a build-an-X cadence skill (dast-baseline-runner) and an adversarial unifier agent (dast-finding-triager).
Sister to qa-sast - covers runtime vulnerabilities (auth, session, input handling at runtime) that SAST can't see by reading source code. Every scanner skill includes a ## False-positive triage section.
Components
| Type | Name | Description |
|---|---|---|
| Skill | zap-baseline | OWASP ZAP baseline (passive, PR-blocking-safe) + zap-full-scan companion (active, staging-only); auth via context file; rule customization TSV |
| Skill | burp-headless | Burp Suite Pro REST API + Enterprise CI integration; BApp Store extensions; session-handling rules for auth |
| Skill | nightvision-dast | White-box-assisted DAST tracing findings to source; OpenAPI / Postman / GraphQL targets; Interactive Logins / Header / Cookie / TOTP auth |
| Skill | dast-baseline-runner | Build-an-X for layered DAST cadence: ZAP baseline (PR) → ZAP full + NightVision (nightly) → Burp deep (per-release); baseline-finding ratchet; coverage measurement |
| Agent | dast-finding-triager | Adversarial unifier across all 3 sister scanners; deduplicates by (URL, method, parameter, finding-class); waiver enforcement; refuses pass with unwaived critical findings |
| Skill | nuclei-dast | Nuclei template-based HTTP scanning; JSONL output feeds dast-finding-triager. |
| Skill | zap-authenticated-scans | Authenticated DAST setup: ZAP auth scripts, session management, OAuth/CSRF handling. |
Install
/plugin marketplace add testland/qa
/plugin install qa-dast@testland-qaSkills
burp-headless
Configures and runs Burp Suite Professional / Enterprise headless - Burp Scanner is "a web vulnerability scanning tool built into Burp Suite Professional"; Pro edition runs scans via REST API or scheduled-tasks; Enterprise edition is purpose-built for CI-driven scanning at scale; supports BApp Store extensions (BCheck, custom scanners); auth via session-handling rules. Use when the team has a Burp Suite license and needs paid-tier DAST coverage layered on top of OWASP ZAP.
dast-baseline-runner
Designs an end-to-end DAST cadence for teams adopting dynamic scanning: ZAP passive baseline (PR-blocking) then ZAP full active scan (nightly on staging) then optional Burp Pro deep scan (per-release). Handles the baseline-finding ratchet for legacy apps so pre-existing findings do not immediately block PRs, plus per-tool per-run deduplication and CI workflow YAML. Use when the team is setting up DAST from scratch or restructuring scan cadence, not when tools are already running and you need to merge their output (see dast-finding-triager for cross-tool aggregation of existing independent runs).
nightvision-dast
Configures and runs NightVision white-box-assisted DAST: analyzes source code before attacking, traces every finding to its origin line, and drives coverage from OpenAPI / Postman / GraphQL specs rather than crawling. Supports Header, Cookie, TOTP, and recorded Interactive Login auth; exports findings as SARIF for GitHub Code Scanning, plus JSON, CSV, or PDF. Per-finding suppression via Alert Rules; CLI integration via the `nightvision` command. Use when source-traceable findings and spec-driven request coverage matter, not just authenticated black-box scanning (see zap-authenticated-scans for that).
nuclei-dast
Installs and runs ProjectDiscovery Nuclei template-based HTTP scanning: selects templates via `-t <path>` and `-tags`/`-severity` filters, controls request rate with `-rl`, emits JSONL output via `-j` for the dast-finding-triager, authors custom YAML matchers for app-specific checks, and gates CI on severity thresholds. Use when the team runs Nuclei alongside ZAP for template-driven DAST coverage, needs fuzzing-style probes beyond ZAP passive scan, or wants to operationalize community CVE templates in a pipeline.
zap-authenticated-scans
Configures authenticated DAST sessions in ZAP - ZAP Context + Authentication Method (form, JSON, script, browser-based, HTTP/NTLM), Session Management strategy (cookie, header, script), Verification Strategy (regex indicators, poll-URL), CSRF token handling, OAuth/bearer header injection, logged-in/logged-out indicator calibration, and context XML export for use with `-n` in baseline and full scans. Use when the team needs DAST coverage of authenticated routes - the most common DAST gap and the hardest DAST setup to get right.
zap-baseline
Configures and runs OWASP ZAP baseline scanning: `zap-baseline.py` Docker-packaged spider + passive scan suitable for CI gating; supports `-t target_url` + `-r html_report` + `-c config_file` rule customization (INFO/IGNORE/FAIL warnings) and Ajax spider via `-j` for JS-heavy SPAs. Passive-only; for active injection probes use `zap-full-scan.py` via zap-authenticated-scans. Accepts `-n context_file` for pre-configured auth contexts (see zap-authenticated-scans for setting up auth from scratch). Use when the user runs OWASP ZAP for pre-prod web app DAST.