Installing and Configuring Acunetix Jenkins Plugin

To install the Acunetix Jenkins Plugin, start by navigating to Manage Jenkins > Manage Plugins and select the Available tab. Search the Jenkins Plugin Index for Acunetix. Select Install without restart.

Configuring the Acunetix Jenkins Plugin

Before starting to use the Acunetix Jenkins Plugin in a Jenkins job, you will need to configure the plugin to use an Acunetix API key.

To obtain an Acunetix API key, inside of your Acunetix installation, log in with the administrator account and navigate to the Administrator profile from the top-right dropdown menu.

At the bottom of the screen, you’ll see a section called API Key. Copy the API Key.

API Key

In Jenkins, navigate to Manage Jenkins > Configure System and find the Acunetix heading.

Configure system jenkins

By default, the Acunetix API URL field is set to localhost. If your Jenkins host is deployed on a different host than Acunetix, you will need to make Acunetix reachable from hosts other than localhost, and add the Acunetix root CA certificate to the Java Runtime Environment (JRE) keystore (described below).

Paste your API key in the API Key field and click Test Connection. If all went well, you should get a success message. Save your settings to complete the configuration.

Modify the Jenkins Content Security Policy (optional)

The Acunetix Jenkins Plugin allows you to automatically generate reports. While these reports will remain in Acunetix, an HTML version of the report is also saved in the Jenkins job Workspace for convenience.

While Jenkins allows you to view the HTML report, if you are running Jenkins with it’s default settings, it’s Content Security Policy will not allow inline images and CSS.

Default Jenkins CSP

Default Jenkins CSP

Developer report

Relaxed CSP

 

 

 

 

 

 

 

 

 

You may either download HTML reports and view them offline (i.e. not subject to the Jenkins CSP), or you may relax the Jenkins CSP to allow it to display inline images and CSS (this may also be required by other plugins). You may read more about Jenkins’ CSP here.

The following is the recommended CSP policy for the Acunetix Jenkins Plugin to be able to display HTML reports. You may test your CSP policy here before deploying it to make sure it’s secure.

sandbox; default-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'

Add the Acunetix Root CA Certificate to Jenkins

Here we are showing how to add the Acunetix root CA certificate to the Java Runtime Environment (JRE) keystore (trusted certificate store) on Linux. The procedure on other operating systems should be similar.

Before adding the certificate to the JRE keystore, you’ll need to copy over the certificate (.cer file from your Acunetix installation) to the host running Jenkins. You may find the self-signed Acunetix Root CA certificate in C:\ProgramData\Acunetix 11\certs\ca.cer.

Once you copy the certificate to the Jenkins machine, you need to add it to the JRE into the cacerts keystore under jdk/jre/lib/security. Before you can do this you must know where the Java Development Kit (JDK) is located on your system.

The following are two methods of finding out where the JDK is located on your system.

Locate your Java Installation

Using $JAVA_HOME

You can try echoing the contents of the $JAVA_HOME environment variable to learn where the JRE is installed on your system.~# echo $JAVA_HOME

/usr/lib/jvm/java-8-openjdk-amd64

Following Symlinks

If the above method did not work, you may try finding the JDK on your system by following symlinks to the Java executable. The below is an example of how to follow symlinks to find the JDK.~# whereis java

java: /usr/bin/java /usr/share/java /usr/share/man/man1/java.1.gz
~# ls -ltr /usr/bin/java
lrwxrwxrwx 1 root root 22 Feb 7 20:04 /usr/bin/java -> /etc/alternatives/java
~# ls -ltr /etc/alternatives/java
lrwxrwxrwx 1 root root 46 Feb 7 20:04 /etc/alternatives/java -> /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Import the Root CA certificate

To import the converted Acunetix Root CA certificate into the JRE keystore, you will need to use the keytool certificate management utility which comes bundled with Java.

The following command imports the certificate into the JRE’s cacerts keystore.

~# keytool -import -trustcacerts -alias AcunetixCA -keystore /path/to/jdk/jre/lib/security/cacerts -file /path/to/ca.cer

The keytool utility will display the certificate’s contents and will ask you if you want to accept the certificate. Type in yes, and your certificate should have been successfully imported in your JRE’s keystore.

To verify the entry was successful you may run the following command.~# keytool -list -keystore /path/to/jdk/jre/lib/security/cacerts -alias AcunetixCA

AcunetixCA, Feb 28, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 36:C2:0B:6F:74:0F:CD:C0:42:CF:4A:D7:DB:7B:01:B1:70:13:97:66

Add an Acunetix Scan as a Build Step in a Jenkins Job

To add an Acunetix Scan as a build step in a Jenkins job, navigate to an existing job’s configuration, or create a new job. In the Build step, select Acunetix from the Add build step drop-down.

You will then be presented with the options outlined below.

  • Scan Type – Choose a Scan Type with which you want the scan to run. Scan Types are used to reduce the scope of the tests the scanner runs during the scan.
  • Scan Target – Choose a Scan Target you wish to scan. Scan Targets are obtained from Acunetix, with the exception of Targets requiring Manual Intervention. Targets contain part of the Target description to distinguish between Targets that have the same URL.
  • Fail build if threat level is – Choose at which threat level to fail the Jenkins build based upon the scan’s threat level (High severity, Medium severity or Low Severity).
  • Stop the scan when build fails – Check this checkbox if you would like to abort the scan when the fail condition in Fail build if threat level is is met. This is setting is enabled by default.
  • Generate Report – Choose to a report to generate upon completion of the scan. The report will be accessible inside of Acunetix and an HTML version of the report will also be saved to the Jenkins workspace.
Share this post

Leave a Reply

Your email address will not be published.