Acunetix offers out-of-the-box integration with Jenkins CI. The setup procedure requires the Acunetix API key, which is available for Enterprise editions.
Before proceeding any further, ensure that you have installed the latest version of Acunetix. You can download it from https://www.acunetix.com/fullver
Note that these instructions are for a Windows installation but you can easily modify them for a Linux installation.
The Acunetix installer automatically generates two certificates for user interface access. You can find them in the C:\ProgramData\Acunetix\certs directory. You must install the CA certificate (ca.cer) in the Jenkins cacert keystore.
Initial Configuration of Acunetix and Jenkins
You can download Jenkins from https://jenkins.io/download/. Jenkins works on platforms such as Windows, Linux distributions, and in Docker containers. After you install Jenkins, access its interface in a web browser and click on Manage Jenkins.
The Jenkins management page provides an overview of configurable settings. Navigate to Manage Plugins and download the latest Acunetix plugin from the Available view pane. After you select it, click on Install without restart to install the plugin.
Navigate back to the management page and select Configure System. Scroll down to the bottom of the page to see the Acunetix configuration section.
By default, the Acunetix API URL field contains the value localhost. If your Jenkins instance is deployed on a different host than your Acunetix instance, you need to make Acunetix reachable from hosts other than localhost. If you are using Acunetix Online, you should use https://online.acunetix.com/api/v1.
To get the Acunetix API URL, append /api/v1 to the address used to access the Acunetix UI. You can select the Acunetix API key after you add it to the Jenkins API list. Click on the Add button to configure the API key.
Get the Acunetix API Key
To obtain an Acunetix API key, open Acunetix, log into the administrator account, and navigate to the administrator profile from the top-right dropdown menu.
You can find the Acunetix API key in the API Key section.
1. Make the following changes in the Jenkins Credentials Provider:
- Domain: Select Global credentials
- Kind: Select Secret text
- Secret: Paste your Acunetix API key
- ID: Leave blank
- Description: Acunetix API key
2. Click on the Add button when done
3. Choose the new credential from the Acunetix API Key drop-down list
4. Click on the Apply button at the bottom of the settings page
Install the Acunetix CA Certificate
Before you can click on Test Connection, you must install the Acunetix CA certificate. This is the certificate generated during Acunetix installation. You must install it in the Java CA store in the following directory:
By default, Jenkins comes with the latest version of Java, and you can install the certificate in the castore keystore in the C:\ProgramFiles(x86)\Jenkins\jre\lib\security directory. If Jenkins uses a pre-installed JDK (specified in Manage Jenkins > Global Tool Configuration), you need to install the ca.cer file in the respective directory. If you need to find your Java installation, try to echo the contents of the $JAVA_HOME environment variable to learn where the JRE is installed on your system:
~# echo $JAVA_HOME /usr/lib/jvm/java-8-openjdk-amd64
If this does not work, try to find the JDK on your system by following symlinks to the Java executable:
~# whereis java java: /usr/bin/java /usr/share/java /usr/share/man/man1/java.1.gz ~# ls -ltr /usr/bin/java lrwxrwxrwx 1 root root 22 Feb 7 20:04 /usr/bin/java -> /etc/alternatives/java ~# ls -ltr /etc/alternatives/java lrwxrwxrwx 1 root root 46 Feb 7 20:04 /etc/alternatives/java -> /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
Follow this procedure to install the certificate file in the castore keystore:
- Copy the ca.cer certificate to the castore directory.
- Open a command prompt window in this directory with administrative privileges. If using Linux, escalate privileges to root.
- Enter the following command in the command window (default password: changeit):
~# keytool -import -trustcacerts -alias AcunetixCA -keystore %path_to_java_folder%\jdk\jre\lib\security\cacerts -file %path_to_cert_folder%\ca.cer
- To confirm that you installed the certificate correctly, use the following command:
~# keytool -list -keystore %path_to_java_folder%\jdk\jre\lib\security\cacerts -alias AcunetixCA
- If the installation was successful, you will see AcunetixCA details.
Now you can go back to the Jenkins Acunetix plugin configuration to apply and save changes. Click on Test connection. If the connection test is successful, you will see the following message:
IMPORTANT: The Acunetix CA certificate is issued on the host name selected during installation. For that reason, when configuring the Acunetix URL, it is important to use the host name selected during installation.
If you want to use the IP, you will need to generate the Acunetix CA certificate again on the IP address.
This can be done by following this document: https://www.acunetix.com/blog/docs/acunetix-security-hardening-guide/
Add an Acunetix Scan as a Build Step in a Jenkins Job
To add an Acunetix scan as a build step in a Jenkins job, navigate to the configuration of an existing job or create a new job. In the Build step, select Acunetix from the Add build step drop-down.
You will see the following options:
- Scan Type: Choose a Scan type for the scan. Scan types are used to reduce the scope of tests that the scanner runs during the scan.
- Scan Target: Choose a Scan target that you wish to scan. Scan targets are obtained from Acunetix with the exception of targets requiring manual intervention. The listed targets contain part of their descriptions to help you distinguish between targets that have the same URL.
- Fail build if threat level is: Choose at which threat level to fail the Jenkins build based upon the threat level of the scan (High severity, Medium severity, or Low severity).
- Stop the scan when build fails: Check this checkbox if you would like to abort the scan when the fail condition in Fail build if threat level is is met. This setting is enabled by default.
- Generate Report: Choose a report to generate upon completion of the scan. The report will be accessible inside of Acunetix and a download link will be provided inside the job console output.
Troubleshooting Connection Refused Errors
If you use a hostname instead of an IP or the other way around, Jenkins will respond with a connection refused error. To further investigate the encountered issue, follow these instructions for your OS.
By default, you can find Jenkins logs in /var/log/jenkins/jenkins.log, unless customized in /etc/default/jenkins (for *.deb) or via /etc/sysconfig/jenkins (for *.rpm).
By default, you can find Jenkins logs in %JENKINS_HOME%\jenkins.out and %JENKINS_HOME%\jenkins.err, unless customized in %JENKINS_HOME%\jenkins.xml.
For more information on setting up Jenkins with Acunetix, contact our support team: firstname.lastname@example.org.
Get the latest content on web security
in your inbox each week.