Step by Step Configuration of Acunetix with Jenkins

Acunetix offers out-of-the-box integration with Jenkins CI. The setup procedure requires the Acunetix API key, which is available for Enterprise editions.

Before proceeding any further, ensure that you have installed the latest version of Acunetix. You can download it from https://www.acunetix.com/fullver 

Note that these instructions are for a Windows installation but you can easily modify them for a Linux installation.

The Acunetix installer automatically generates two certificates for user interface access. You can find them in the C:\ProgramData\Acunetix\certs directory. You must install the CA certificate (ca.cer) in the Jenkins cacert keystore.

Initial Configuration of Acunetix and Jenkins

You can download Jenkins from https://jenkins.io/download/. Jenkins works on platforms such as Windows, Linux distributions, and in Docker containers. After you install Jenkins, access its interface in a web browser and click on Manage Jenkins.

Jenkins
The Jenkins management page provides an overview of configurable settings. Navigate to Manage Plugins and download the latest Acunetix plugin from the Available view pane. After you select it, click on Install without restart to install the plugin.

Navigate back to the management page and select Configure System. Scroll down to the bottom of the page to see the Acunetix configuration section.

Acunetix API

By default, the Acunetix API URL field contains the value localhost. If your Jenkins instance is deployed on a different host than your Acunetix instance, you need to make Acunetix reachable from hosts other than localhost. If you are using Acunetix Online, you should use https://online.acunetix.com/api/v1.

To get the Acunetix API URL, append /api/v1 to the address used to access the Acunetix UI. You can select the Acunetix API key after you add it to the Jenkins API list. Click on the Add button to configure the API key.

Jenkins credentials provider

Get the Acunetix API Key

To obtain an Acunetix API key, open Acunetix, log into the administrator account, and navigate to the administrator profile from the top-right dropdown menu.

Acunetix Dashboard

You can find the Acunetix API key in the API Key section.

API key - jenkins

1. Make the following changes in the Jenkins Credentials Provider:

  • Domain: Select Global credentials
  • Kind: Select Secret text
  • Secret: Paste your Acunetix API key
  • ID: Leave blank
  • Description: Acunetix API key

2. Click on the Add button when done
3. Choose the new credential from the Acunetix API Key drop-down list
4. Click on the Apply button at the bottom of the settings page

Install the Acunetix CA Certificate

Before you can click on Test Connection, you must install the Acunetix CA certificate. This is the certificate generated during Acunetix installation. You must install it in the Java CA store in the following directory:

%path_to_java_folder%\jdk\jre\lib\security

By default, Jenkins comes with the latest version of Java, and you can install the certificate in the castore keystore in the C:\ProgramFiles(x86)\Jenkins\jre\lib\security directory. If Jenkins uses a pre-installed JDK (specified in Manage Jenkins > Global Tool Configuration), you need to install the ca.cer file in the respective directory.

If you need to find your Java installation, try to echo the contents of the $JAVA_HOME environment variable to learn where the JRE is installed on your system:
~# echo $JAVA_HOME
/usr/lib/jvm/java-8-openjdk-amd64

If this does not work, try to find the JDK on your system by following symlinks to the Java executable:

~# whereis java
java: /usr/bin/java /usr/share/java /usr/share/man/man1/java.1.gz

~# ls -ltr /usr/bin/java
lrwxrwxrwx 1 root root 22 Feb 7 20:04 /usr/bin/java -> /etc/alternatives/java

~# ls -ltr /etc/alternatives/java
lrwxrwxrwx 1 root root 46 Feb 7 20:04 /etc/alternatives/java -> /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Follow this procedure to install the certificate file in the castore keystore:

  1. Copy the ca.cer certificate to the castore directory.
  2. Open a command prompt window in this directory with administrative privileges. If using Linux, escalate privileges to root.
  3. Enter the following command in the command window (default password: changeit):
    ~# keytool -import -trustcacerts -alias AcunetixCA -keystore %path_to_java_folder%\jdk\jre\lib\security\cacerts -file %path_to_cert_folder%\ca.cer
  4. To confirm that you installed the certificate correctly, use the following command:
    ~# keytool -list -keystore %path_to_java_folder%\jdk\jre\lib\security\cacerts -alias AcunetixCA
  5. If the installation was successful, you will see AcunetixCA details.

Now you can go back to the Jenkins Acunetix plugin configuration to apply and save changes. Click on Test connection. If the connection test is successful, you will see the following message:

Add an Acunetix Scan as a Build Step in a Jenkins Job

To add an Acunetix scan as a build step in a Jenkins job, navigate to the configuration of an existing job or create a new job. In the Build step, select Acunetix from the Add build step drop-down.

You will see the following options:

  • Scan Type: Choose a Scan type for the scan. Scan types are used to reduce the scope of tests that the scanner runs during the scan.
  • Scan Target: Choose a Scan target that you wish to scan. Scan targets are obtained from Acunetix with the exception of targets requiring manual intervention. The listed targets contain part of their descriptions to help you distinguish between targets that have the same URL.
  • Fail build if threat level is: Choose at which threat level to fail the Jenkins build based upon the threat level of the scan (High severity, Medium severity, or Low severity).
  • Stop the scan when build fails: Check this checkbox if you would like to abort the scan when the fail condition in Fail build if threat level is is met. This setting is enabled by default.
  • Generate Report: Choose a report to generate upon completion of the scan. The report will be accessible inside of Acunetix and a download link will be provided inside the job console output.

Troubleshooting Connection Refused Errors

connection refused

If you use a hostname instead of an IP or the other way around, Jenkins will respond with a connection refused error. To further investigate the encountered issue, follow these instructions for your OS.

Linux

By default, you can find Jenkins logs in /var/log/jenkins/jenkins.log, unless customized in /etc/default/jenkins (for *.deb) or via /etc/sysconfig/jenkins (for *.rpm).

Windows

By default, you can find Jenkins logs in %JENKINS_HOME%\jenkins.out and %JENKINS_HOME%\jenkins.err, unless customized in %JENKINS_HOME%\jenkins.xml.

For more information on setting up Jenkins with Acunetix, contact our support team: support@acunetix.com.

Share this post
Daniel Zammit Technical Support Engineer
LinkedIn: https://www.linkedin.com/in/danielzammit/

Daniel Zammit is a Technical Support Engineer working for Acunetix. He's a Business and I.T. graduate with an interest in web development and machine learning techniques for network security applications. Experienced in system administration, he's now gaining experience in Web Application Security sphere
  • Hi, how do we get hold of the CA Cert if we’re using Acunetix Online?

    • Hi Jamie,

      Acunetix Online uses a certificate which is not self-signed, and thus does not require the certificate to be configured in Jenkins.

  • Is it possible to invoke the plugin using “Pipeline as Code” ?

  • How can I replace my trial license with the enterprice license? I already have it but I do not see the option to change it.

  • hi, I followed the tutorial in this page step by step, but when i test connection I always get this error: “Please add the Acunetix scanner certificate to Java CA store” in other to I installed the certificate correctly into the keystore: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
    Can anyone help me, please!

    • Hi,

      Did you already following the section “Install the Acunetix CA Certificate” in the article? You will need to use the keytool utility. Should the problem persist, please contact our support team.

  • Leave a Reply

    Your email address will not be published.