Integrating Acunetix with CircleCI for CI/CD

This is a step-by-step example for a simple web application running on Node.JS, following these steps:

  • Prepare your Acunetix Target information
  • Prepare your GitHub Repository
  • Prepare your Local Environment
  • Prepare your Deployment Environment
  • Configure CircleCI to Integrate with Github
  • Test Pipeline Workflow
  • Integrate into Acunetix

Prepare your Acunetix Target information

  • Login to your Acunetix installation

  • Create a Target for your web application - in this example, our web application will be on URL http://testwebapp.acunetixexample.com:8080
  • Enter the URL for your web application
  • Enter a Description for your web application
  • Click on the "Save" button

  • You will be taken to the "Target Settings" page, where you can now retrieve the Target ID from the URL

  • Go to your Profile page and retrieve your API Key by clicking on the "Copy" button

Prepare your GitHub Repository

  • Login to your GitHub account - in this example, the account name is "acunetix-test" and the account email address is "webmaster@acunetixexample.com"

  • In the "Repositories" page, click the "New" button

  • Create the new repository:
  • Enter a Repository Name - in this example the repository name will be "testwebapp"
  • Enter a Description for your repository
  • Enable the "Add a README file" checkbox to initialize the repository
  • Click the "Create repository" button

Prepare your Local Environment

In this example, the Local Environment will be a Ubuntu 20.04.1 Desktop setup, but most sane Linux or MacOS setups should be sufficient - simply replace the platform-specific steps with those appropriate for your environment. All the following steps will be performed on your Local Environment machine.

Install Pre-Requisites

  • Update & upgrade your environment with:
  • sudo apt update && sudo apt upgrade -y
  • Install git to interact with your GitHub repository with:
  • sudo apt install git -y
  • Install Node.JS and npm with:
  • sudo apt install npm -y

Write your Local Source Code

  • Checkout your GitHub repository with:
  • cd ~
  • git clone https://github.com/acunetix-test/testwebapp.git (substitute "acunetix-test" with your Github account name)
  • Initialize npm within your local code repository:
  • cd ~/testwebapp
  • npm init -y
  • Create your basic web application with the file app.js in the base folder:
  • nano ~/testwebapp/app.js
  • Add the following lines to your app.js file:

const http = require('http');

http.createServer(function (req, res) {

  res.write('<html><head></head><body>');

  res.write('Welcome to the Test Web Application!'+'<br/>');

  res.write('===================================='+'<br/>');

  res.write('</body></html>');

  res.end();

}).listen(80, '0.0.0.0');

Add a CircleCI Workflow Configuration file to your Source Code

  • Create the Configuration file with:
  • mkdir ~/testwebapp/.circleci
  • nano ~/testwebapp/.circleci/config.yml
  • Add the following lines to your config.yml file:

version: 2.1

# Define the jobs for testwebapp (checkout code and run a deploy.sh script)

jobs:

  pull-and-build:

    docker:

      - image: arvindr226/alpine-ssh

    steps:

      - checkout

      - run: ssh -oStrictHostKeyChecking=no -v $USERNAME@$HOSTNAME "./deploy.sh"

# Orchestrate the testwebapp job run sequence (runs only on commit to main branch)

workflows:

  version: 2

  build-project:

    jobs:

      - pull-and-build:

          filters:

            branches:

              only:

                - main

Commit changes to the GitHub Repository

  • Change to the correct directory:
  • cd ~/testwebapp
  • Set your GitHub credentials and remote repository:
  • git config user.email "webmaster@acunetixexample.com" (substitute with your Github account email address)
  • Commit your code changes with:
  • cd ~/testwebapp
  • git add .
  • git commit -m "first code commit"
  • git push

Prepare your Deployment Environment

In this example, the Deployment Environment will be a Ubuntu 18.04 LTS Server running on a cloud platform, and therefore the hostname for your Deployment Environment would be the same as that for your Target (in this example testwebapp.acunetixexample.com)

Create a user for CircleCI to connect to the Deployment Environment

  • Log into your Deployment Environment as the root user
  • Create a user that does NOT use a password for login:
  • useradd -m -d /home/circleuser -s /bin/bash circleuser
  • Create an SSH key WITHOUT passphrase for the circleuser user:
  • ssh-keygen -m PEM -t rsa -f ~/.ssh/circleuser
  • Add the newly-created public key to /home/circleuser/.ssh/authorized_keys:
  • mkdir -p /home/circleuser/.ssh
  • printf "\n" >> /home/circleuser/.ssh/authorized_keys
  • cat ~/.ssh/circleuser.pub >> /home/circleuser/.ssh/authorized_keys
  • chown -R circleuser:circleuser /home/circleuser
  • Show the contents of the private key using:
  • cat ~/.ssh/circleuser
  • Copy the contents of the private key - you will use this to allow your CircleCI to login to your Deployment Environment

Create a set of SSH keys for for the user to authenticate against GitHub

  • Log into your Deployment Environment as the circleuser user
  • Create new SSH keys WITHOUT passphrase:
  • ssh-keygen -t rsa
  • Display the public key in the console and copy it for later:
  • cat ~/.ssh/id_rsa.pub
  • Log into your GitHub account and navigate to your application's repository

  • Click on the "Settings" tab

  • Select "Deploy keys" in the sidebar

  • Click the "Add deploy key" button

  • Add new Deploy key:
  • Set the "Title" field to "LogFromDeployEnvironment" (or any memorable name)
  • Paste the contents of the public key you copied earlier into "Key" field
  • Click the "Add key" button

Configure Firewall Access for SSH and HTTP

Allow SSH and HTTP traffic through the firewall:

  • Login to your Deployment Environment and run the following:
  • sudo ufw allow OpenSSH
  • sudo ufw allow 80
  • sudo ufw enable

Setup the Project

  • Login to your Deployment Environment as the circleuser user
  • Clone the project source code:
  • git clone git@github.com:acunetix-test/testwebapp.git (replace as necessary in the format git@github.com:your_user_name/your_application_name.git)
  • Temporarily move to the testwebapp folder and install dependencies:
  • cd testwebapp
  • npm install
  • cd ~
  • Temporarily elevate to root user and install pm2 to allow running a Node app as a background process:
  • su
  • npm install -g pm2
  • exit
  • Start up your Node app using pm2 to register the process:
  • pm2 start ~/testwebapp/app.js
  • Create a "deploy.sh" file:
  • nano ~/deploy.sh
  • Add the following lines to your deploy.sh file:

#!/bin/bash

#replace this with the path of your project on the VPS

cd ~/testwebapp

#pull from the branch

git pull origin main

# followed by instructions specific to your project that you used to do manually

npm install

export PATH=~/.npm-global/bin:$PATH

source ~/.profile

pm2 restart ~/testwebapp/app.js

Configure CircleCI to Integrate with Github

Setup the CircleCI Project

  • Login to your CircleCI account

  • Go to your list of projects and click on the "SetUp Project" button for the project you wish to work with - in this example, your project is called "testwebapp"

  • Click the "Use Existing Config" button (you have already created a config.yml in the repository)

  • Click the "Start Building" button (this will use the config.yml from your repository); this will immediately trigger the first build and send you to the pipeline page; this initial build will fail because you need to perform some additional steps

Configure SSH Key for CircleCI to connect to the Deployment Environment

  • From your application's pipeline page, click the "Project Settings" button

  • Click the "SSH Keys" menu item

  • Click the "Add SSH Key" button

  • Enter the Hostname for your Deployment Environment (in this example testwebapp.acunetixexample.com)
  • Enter the Private Key which you copied from your Deployment Environment
  • Click the "Add SSH Key" button

Configure Environment Variables

  • From your application's pipeline page, click the "Project Settings" button

  • Click the "Environment Variables" menu item

  • Click the "Add Environment Variable" button

  • Add an environment variable for the "circleuser" user you created earlier in the Deployment Environment:
  • Set the "Name" field to "USERNAME"
  • Set the "Value" field to "circleuser"
  • Click the "Add Environment Variable" button

  • Add an environment variable for the IP Address or the hostname of your Deployment Environment; in this example the hostname is "testwebapp.acunetixexample.com":
  • Set the "Name" field to "HOSTNAME"
  • Set the "Value" field to "testwebapp.acunetixexample.com"
  • Click the "Add Environment Variable" button

Test Pipeline Workflow

The main test to check everything is working correctly is to simply make a change to the source code, commit the changes, and push the changes to GitHub. This will show up in your CircleCI pipeline page:

Integrate into Acunetix

Finally, you need to edit the deploy.sh file in your Deployment Environment to add instructions to trigger an Acunetix scan of your Web Application Target after every build.

  • Login to your Deployment Environment as the circleuser user
  • Edit the "deploy.sh" file:
  • nano ~/deploy.sh
  • Add the a curl line to your deploy.sh file to trigger the scan; the final file should look like this:

#!/bin/bash

#replace this with the path of your project on the VPS

cd ~/testwebapp

#pull from the branch

git pull origin main

# followed by instructions specific to your project that you used to do manually

npm install

export PATH=~/.npm-global/bin:$PATH

source ~/.profile

pm2 restart ~/testwebapp/app.js

curl -k -i --request POST --url "https://online.acunetix.com/api/v1/scans" --header "X-Auth: [APIKEY]" --header "content-type: application/json" --data '{"profile_id":"11111111-1111-1111-1111-111111111111","schedule":{"disable":false,"start_date":null,"time_sensitive":false},"user_authorized_to_scan":"yes","target_id":"[Target ID]"}'

  • Replace the 3 highlighted fields:
  • To set the correct X-Auth value, replace the "[API KEY]" text with the API key you retrieved in the first section
  • The suggested value for profile_id is "11111111-1111-1111-1111-111111111111" - this default value is for a "Full Scan". If you wish to specify a different scan profile, you can set one of the following values:
  • For the Online version of Acunetix:
  • Full Scan: 11111111-1111-1111-1111-111111111111
  • High Risk Vulnerabilities: 11111111-1111-1111-1111-111111111112
  • SQL Injection Vulnerabilities: 11111111-1111-1111-1111-111111111113
  • Weak Passwords: 11111111-1111-1111-1111-111111111115
  • Cross-site Scripting Vulnerabilities: 11111111-1111-1111-1111-111111111116
  • Crawl Only: 11111111-1111-1111-1111-111111111117
  • Malware Scan: 11111111-1111-1111-1111-111111111120
  • Full Web and Network Scan: 11111111-1111-1111-1111-211111111111
  • Network Scan: 11111111-1111-1111-1111-211111111112
  • Network Scan (Safe Checks): 11111111-1111-1111-1111-211111111113
  • Network Scan Quick: 11111111-1111-1111-1111-211111111114
  • For the On-Premises version of Acunetix:
  • Full Scan: 11111111-1111-1111-1111-111111111111
  • High Risk: 11111111-1111-1111-1111-111111111112
  • SQL Injection Vulnerabilities: 11111111-1111-1111-1111-111111111113
  • Weak Passwords: 11111111-1111-1111-1111-111111111115
  • Cross-site Scripting Vulnerabilities: 11111111-1111-1111-1111-111111111116
  • Crawl Only: 11111111-1111-1111-1111-111111111117
  • High / Medium Risk: 11111111-1111-1111-1111-111111111119
  • Malware Scan: 11111111-1111-1111-1111-111111111120
  • ...or alternatively the scan profile id of any custom scan profiles you may have created; you can retrieve the scan profile id of custom scan profiles programmatically via the Acunetix API, or by navigating to the custom scan profile, and checking the URL:

  • To set the correct target_id value, replace the "[Target ID]" text with the target ID you retrieved in the first section
  • All future commits will now also trigger a scan request to Acunetix:

 

« Back to the Acunetix Support Page