CI/CD Integration

Run DAST on every push, every PR, or on a schedule. The scanner ships as a Docker image and returns a non-zero exit code when findings cross the --fail-on threshold — perfect for blocking a pipeline.

levo-dast.yml — commit the scan config to the repo. Only secrets stay in CI. Recommended.
CLI flags — one-off invocations with all options on the command line.

Key concepts

CI/CD flags

--ci / --non-interactive — run without prompts.
--fail-on <severity> — exit 1 if any finding at or above the threshold (critical · high · medium · low).
--output json — machine-readable findings on stdout.

Exit codes

Code	Meaning
0	Scan completed; no findings above `--fail-on` threshold.
1	Scan failed, or findings at/above `--fail-on`.
130	Scan interrupted.

GitHub Actions

Basic workflow

With levo-dast.yml
With CLI flags

levo-dast.yml checked into the repo:

version: "1"
name: "acme-webapp"
target:
  url: "${TARGET_URL}"
auth:
  strategy: "none"
scan:
  depth: "smart"

.github/workflows/dast.yml:

name: DAST Security Test

on:
  push:
    branches: [main, develop]
  schedule:
    - cron: '0 2 * * *'

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run DAST
        run: |
          docker run --rm --shm-size=1g \
            -v "$PWD/levo-dast.yml:/work/levo-dast.yml:ro" \
            -w /work \
            -e TARGET_URL=${{ secrets.TARGET_URL }} \
            -e LEVOAI_AUTH_KEY=${{ secrets.LEVOAI_AUTH_KEY }} \
            -e LEVOAI_ORG_ID=${{ secrets.LEVOAI_ORG_ID }} \
            levoai/levoai-shadownet:stable \
            scan --config /work/levo-dast.yml --ci --fail-on high

name: DAST Security Test

on:
  push:
    branches: [main, develop]
  schedule:
    - cron: '0 2 * * *'

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run DAST
        run: |
          pip install shadownet
          playwright install chromium

          shadownet scan ${{ secrets.TARGET_URL }} \
            --ci \
            --auth none \
            --fail-on high

Authenticated scan

With levo-dast.yml
With CLI flags

levo-dast.yml:

version: "1"
name: "acme-webapp-staging"
target:
  url: "${STAGING_URL}"
auth:
  strategy: "form"
  login_url: "${LOGIN_URL}"
  username: "${SCAN_USERNAME}"
scan:
  depth: "smart"

Workflow:

- name: Run authenticated DAST
  run: |
    docker run --rm --shm-size=1g \
      -v "$PWD/levo-dast.yml:/work/levo-dast.yml:ro" \
      -w /work \
      -e STAGING_URL=${{ secrets.STAGING_URL }} \
      -e LOGIN_URL=${{ secrets.LOGIN_URL }} \
      -e SCAN_USERNAME=${{ secrets.SCAN_USERNAME }} \
      -e LEVOAI_AUTH_KEY=${{ secrets.LEVOAI_AUTH_KEY }} \
      -e LEVOAI_ORG_ID=${{ secrets.LEVOAI_ORG_ID }} \
      levoai/levoai-shadownet:stable \
      scan --config /work/levo-dast.yml \
           --password "${{ secrets.SCAN_PASSWORD }}" \
           --ci --fail-on critical

- name: Run authenticated DAST
  run: |
    pip install shadownet
    playwright install chromium

    shadownet scan ${{ secrets.STAGING_URL }} \
      --ci \
      --auth form \
      --login-url ${{ secrets.LOGIN_URL }} \
      --username ${{ secrets.SCAN_USERNAME }} \
      --password ${{ secrets.SCAN_PASSWORD }} \
      --fail-on critical

GitHub secret setup

Secret	Value
`TARGET_URL`	`https://example.com`
`STAGING_URL`	`https://staging.example.com`
`LOGIN_URL`	`https://example.com/login`
`SCAN_USERNAME`	Service account username
`SCAN_PASSWORD`	Service account password
`LEVOAI_AUTH_KEY`	Levo auth key
`LEVOAI_ORG_ID`	Organization ID

GitLab CI

dast:
  image: docker:24
  services: [docker:24-dind]
  stage: test
  script:
    - |
      docker run --rm --shm-size=1g \
        -v "$PWD/levo-dast.yml:/work/levo-dast.yml:ro" \
        -w /work \
        -e TARGET_URL -e SCAN_USERNAME \
        -e LEVOAI_AUTH_KEY -e LEVOAI_ORG_ID \
        levoai/levoai-shadownet:stable \
        scan --config /work/levo-dast.yml \
             --password "$SCAN_PASSWORD" \
             --ci --fail-on high

Best practices

Service accounts for auth — don't scan with a developer's personal account.
Scan staging, not production. If you must scan prod, follow Scanning production safely.
Set fail_on deliberately. high blocks pipelines on high/critical; critical only blocks on critical. Pick the one your team will actually fix, not the one that looks strictest.
Schedule deep scans off-peak and keep PR scans fast (depth: smart, low max_pages).
Version-control levo-dast.yml — you'll thank yourself the next time someone tunes the scan.

Example: PR-fast, nightly-thorough

Two YAML files in the repo, picked by environment:

# PR job
shadownet scan --config levo-dast.pr.yml

# Nightly job
shadownet scan --config levo-dast.nightly.yml

Next steps

CLI reference — every flag and exit code.
YAML schema reference — every YAML field.
Levo dashboard — findings triage and reporting.
Configuration — environment variables and advanced scan settings.

Was this page helpful?

Key concepts​

CI/CD flags​

Exit codes​

GitHub Actions​

Basic workflow​

Authenticated scan​

GitHub secret setup​

GitLab CI​

Best practices​

Example: PR-fast, nightly-thorough​

Next steps​