Installing and Configuring Acunetix Jenkins Plugin

To install the Acunetix Jenkins Plugin, start by navigating to Manage Jenkins > Manage Plugins and select the Available tab. Search the Jenkins Plugin Index for Acunetix. Select Install without restart.

Configuring the Acunetix Jenkins Plugin

Before starting to use the Acunetix Jenkins Plugin in a Jenkins job, you will need to configure the plugin to use an Acunetix API key.

To obtain an Acunetix API key, inside of your Acunetix installation, log in with the administrator account and navigate to the Administrator profile from the top-right dropdown menu.

At the bottom of the screen, you’ll see a section called API Key. Copy the API Key.

API Key

In Jenkins, navigate to Manage Jenkins > Configure System and find the Acunetix heading.

 

 

By default, the Acunetix API URL field is set to localhost. If your Jenkins host is deployed on a different host than Acunetix, you will need to make Acunetix reachable from hosts other than localhost, and add the Acunetix root CA certificate to the Java Runtime Environment (JRE) keystore (described below). If you are using Acunetix Online, you should use https://online.acunetix.com/api/v1.

  1. In the Acunetix API Key section, click Add to create a Jenkins credential
  2. Make the following changes in the Jenkins Credentials Provider : Jenkins page:
    • Domain: Choose Global credentials
    • Kind: Choose Secret text
    • Secret: Paste your Acunetix API key
    • ID: Leave blank
    • Description: Acunetix API key
  3. Click Add when done
  4. Choose the new credential from the Acunetix API Key drop-down list
  5. Click Apply at the bottom of the settings page
  6. Click Test Connection. If all went well, you should get a success message. Save your settings to complete the configuration.

Add the Acunetix Root CA Certificate to Jenkins

Here we are showing how to add the Acunetix root CA certificate to the Java Runtime Environment (JRE) keystore (trusted certificate store) on Linux. The procedure on other operating systems should be similar.

Before adding the certificate to the JRE keystore, you’ll need to copy over the certificate (.cer file from your Acunetix installation) to the host running Jenkins. You may find the self-signed Acunetix Root CA certificate in C:\ProgramData\Acunetix 11\certs\ca.cer.

Once you copy the certificate to the Jenkins machine, you need to add it to the JRE into the cacerts keystore under jdk/jre/lib/security. Before you can do this you must know where the Java Development Kit (JDK) is located on your system.

The following are two methods of finding out where the JDK is located on your system.

Locate your Java Installation

Using $JAVA_HOME

You can try echoing the contents of the $JAVA_HOME environment variable to learn where the JRE is installed on your system.~# echo $JAVA_HOME

/usr/lib/jvm/java-8-openjdk-amd64

Following Symlinks

If the above method did not work, you may try finding the JDK on your system by following symlinks to the Java executable. The below is an example of how to follow symlinks to find the JDK.~# whereis java

java: /usr/bin/java /usr/share/java /usr/share/man/man1/java.1.gz
~# ls -ltr /usr/bin/java
lrwxrwxrwx 1 root root 22 Feb 7 20:04 /usr/bin/java -> /etc/alternatives/java
~# ls -ltr /etc/alternatives/java
lrwxrwxrwx 1 root root 46 Feb 7 20:04 /etc/alternatives/java -> /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

Import the Root CA certificate

To import the converted Acunetix Root CA certificate into the JRE keystore, you will need to use the keytool certificate management utility which comes bundled with Java.

The following command imports the certificate into the JRE’s cacerts keystore.

~# keytool -import -trustcacerts -alias AcunetixCA -keystore /path/to/jdk/jre/lib/security/cacerts -file /path/to/ca.cer

The keytool utility will display the certificate’s contents and will ask you if you want to accept the certificate. Type in yes, and your certificate should have been successfully imported in your JRE’s keystore.

To verify the entry was successful you may run the following command.~# keytool -list -keystore /path/to/jdk/jre/lib/security/cacerts -alias AcunetixCA

AcunetixCA, Feb 28, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 36:C2:0B:6F:74:0F:CD:C0:42:CF:4A:D7:DB:7B:01:B1:70:13:97:66

Add an Acunetix Scan as a Build Step in a Jenkins Job

To add an Acunetix Scan as a build step in a Jenkins job, navigate to an existing job’s configuration, or create a new job. In the Build step, select Acunetix from the Add build step drop-down.

You will then be presented with the options outlined below.

  • Scan Type – Choose a Scan Type with which you want the scan to run. Scan Types are used to reduce the scope of the tests the scanner runs during the scan.
  • Scan Target – Choose a Scan Target you wish to scan. Scan Targets are obtained from Acunetix, with the exception of Targets requiring Manual Intervention. Targets contain part of the Target description to distinguish between Targets that have the same URL.
  • Fail build if threat level is – Choose at which threat level to fail the Jenkins build based upon the scan’s threat level (High severity, Medium severity or Low Severity).
  • Stop the scan when build fails – Check this checkbox if you would like to abort the scan when the fail condition in Fail build if threat level is is met. This is setting is enabled by default.
  • Generate Report – Choose a report to generate upon completion of the scan. The report will be accessible inside of Acunetix and a download link will be provided inside the job console output.
Share this post
  • Hi, how do we get hold of the CA Cert if we’re using Acunetix Online?

    • Hi Jamie,

      Acunetix Online uses a certificate which is not self-signed, and thus does not require the certificate to be configured in Jenkins.

  • Is it possible to invoke the plugin using “Pipeline as Code” ?

  • Leave a Reply

    Your email address will not be published.