DAST Scanner
Levo's AI-driven Dynamic Application Security Testing scanner for web apps and APIs. Discover your attack surface automatically, run passive and active security tests, and manage findings from a single dashboard β locally, in Kubernetes, or in your CI pipeline.
Is DAST right for you?β
Use the DAST Scanner when you want to test a running web app or API from the outside β simulating what an attacker with a browser and a token can see and do.
| You should pick⦠| If⦠|
|---|---|
| DAST Scanner | You have a deployed web UI or API, and you care about runtime issues: reflected/stored XSS, SQLi, SSRF, IDOR, auth bypass, exposed CVEs in JS libraries. |
| API Security Testing | You have traffic already flowing through a Satellite / sensor and want continuous, OWASP-API-Top-10 tests derived from live specs. |
| Both | Most mature programs run DAST pre-release on staging and API Security Testing continuously in pre-prod/prod. They're complementary, not redundant. |
What a scan producesβ
A single run gives you a Findings list in the dashboard plus a SARIF/JSON export. Each finding has:
- Severity β Critical Β· High Β· Medium Β· Low Β· Info.
- Category β e.g., Reflected XSS, Time-based SQL Injection, Open Redirect, JS Library CVE.
- Evidence β the exact request/response pair that triggered the detection, payload, and any out-of-band probe result.
- Reproduction β a one-click
curl/ HAR snippet to replay the finding manually. - Remediation β category-level guidance with CWE / OWASP references.
Example finding card (abbreviated):
[HIGH] Reflected XSS β GET /search?q=<payload>
Evidence: payload <script>alert(1)</script> reflected unsanitized in response body (line 142).
CWE-79 Β· OWASP A03:2021 Β· Seen first: 2026-04-21 14:02 UTC
Remediation: context-aware output encoding on the `q` parameter.
DAST Scanner is in Beta. That means: active development, weekly releases, and responsive support β but expect occasional rough edges on new detections. No SLA, and the YAML schema may gain fields (breaking-change-free: extra = "forbid" catches them). For production critical-path gating, start with fail_on: "critical" until you've calibrated the signal.
Run your first scan from the Levo dashboard in under 5 minutes.
Configure, run, and monitor scans from the Levo UI.
Run shadownet from Docker, Kubernetes, or a CI job.
Authenticate your appβ
Pick the right method: none, token, form, or AI-driven.
Scan apps that require a username + password.
Scan APIs behind a Bearer or JWT token.
Let the scanner discover the login flow for you.
Configure scansβ
Commit your scan configuration to version control.
Reference for CLI flags, env vars, and Docker options.
Every shadownet command and exit code.
Automate & integrateβ
GitHub Actions, GitLab CI, and SARIF output for security gates.
Run recurring scans from the Levo dashboard.
Deploy a long-lived worker via Helm.
Triage, export, and track remediation from the dashboard.
What does DAST Scanner do?β
- Automated discovery β intelligent crawling maps pages, forms, and API endpoints.
- Comprehensive testing β passive analysis, active injection (XSS, SQLi, SSRF, IDOR, 30+ categories), CVE scanning, and AI-powered validation.
- Flexible authentication β form login, bearer token, OAuth, or AI-guided auto-discovery.
- Multiple deployments β Docker, Kubernetes, or the Levo-managed cloud runner.
- Dashboard + CI/CD β findings flow to the Levo dashboard and to SARIF/JSON for security gates.
Next β Quickstart
Need help? Check the FAQs or the troubleshooting guide.