Integrating Acunetix with CircleCI for CI/CD

This is a step-by-step example for a simple web application running on Node.JS, following these steps:

Prepare your Acunetix Target information
Prepare your GitHub Repository
Prepare your Local Environment
Prepare your Deployment Environment
Configure CircleCI to Integrate with Github
Test Pipeline Workflow
Integrate into Acunetix

Prepare your Acunetix Target information

Create a Target for your web application - in this example, our web application will be on URL http://testwebapp.acunetixexample.com:8080

Enter the URL for your web application
Enter a Description for your web application
Click on the "Save" button

You will be taken to the "Target Settings" page, where you can now retrieve the Target ID from the URL

Go to your Profile page and retrieve your API Key by clicking on the "Copy" button

Prepare your GitHub Repository

Login to your GitHub account - in this example, the account name is "acunetix-test" and the account email address is "webmaster@acunetixexample.com"

In the "Repositories" page, click the "New" button

Create the new repository:

Enter a Repository Name - in this example the repository name will be "testwebapp"
Enter a Description for your repository
Enable the "Add a README file" checkbox to initialize the repository
Click the "Create repository" button

Prepare your Local Environment

In this example, the Local Environment will be a Ubuntu 20.04.1 Desktop setup, but most Linux or MacOS setups should be sufficient - simply replace the platform-specific steps with those appropriate for your environment. All the following steps will be performed on your Local Environment machine.

Install Prerequisites

Update & upgrade your environment with:

sudo apt update && sudo apt upgrade -y

Install git to interact with your GitHub repository with:

sudo apt install git -y

Install Node.JS and npm with:

sudo apt install npm -y

Write your Local Source Code

Checkout your GitHub repository with:

cd ~
git clone https://github.com/acunetix-test/testwebapp.git (substitute "acunetix-test" with your Github account name)

Create your basic web application with the file app.js in the base folder:

nano ~/testwebapp/app.js

Add the following lines to your app.js file:

const http = require('http');

http.createServer(function (req, res) {

res.write('<html><head></head><body>');

res.write('Welcome to the Test Web Application!'+'<br/>');

res.write('===================================='+'<br/>');

res.write('</body></html>');

res.end();

}).listen(80, '0.0.0.0');

Add a CircleCI Workflow Configuration file to your Source Code

Create the Configuration file with:

mkdir ~/testwebapp/.circleci
nano ~/testwebapp/.circleci/config.yml

Add the following lines to your config.yml file:

version: 2.1

# Define the jobs for testwebapp (checkout code and run a deploy.sh script)

jobs:

pull-and-build:

docker:

- image: arvindr226/alpine-ssh

steps:

- checkout

- run: ssh -oStrictHostKeyChecking=no -v $USERNAME@$HOSTNAME "./deploy.sh"

# Orchestrate the testwebapp job run sequence (runs only on commit to main branch)

workflows:

version: 2

build-project:

jobs:

- pull-and-build:

filters:

branches:

only:

- main

Commit changes to the GitHub Repository

Change to the correct directory:

cd ~/testwebapp

Set your GitHub credentials and remote repository:

git config user.email "webmaster@acunetixexample.com" (substitute with your Github account email address)

Commit your code changes with:

cd ~/testwebapp
git add .
git commit -m "first code commit"
git push

Prepare your Deployment Environment

In this example, the Deployment Environment will be a Ubuntu 18.04 LTS Server running on a cloud platform, and therefore the hostname for your Deployment Environment would be the same as that for your Target (in this example testwebapp.acunetixexample.com)

Create a user for CircleCI to connect to the Deployment Environment

Log into your Deployment Environment as the root user
Create a user that does NOT use a password for login:

useradd -m -d /home/circleuser -s /bin/bash circleuser

Create an SSH key WITHOUT passphrase for the circleuser user:

ssh-keygen -m PEM -t rsa -f ~/.ssh/circleuser

Add the newly-created public key to /home/circleuser/.ssh/authorized_keys:

mkdir -p /home/circleuser/.ssh
printf "\n" >> /home/circleuser/.ssh/authorized_keys
cat ~/.ssh/circleuser.pub >> /home/circleuser/.ssh/authorized_keys
chown -R circleuser:circleuser /home/circleuser

Show the contents of the private key using:

cat ~/.ssh/circleuser

Copy the contents of the private key - you will use this to allow your CircleCI to login to your Deployment Environment

Create a set of SSH keys for for the user to authenticate against GitHub

Log into your Deployment Environment as the circleuser user
Create new SSH keys WITHOUT passphrase:

ssh-keygen -t rsa

Display the public key in the console and copy it for later:

cat ~/.ssh/id_rsa.pub

Log into your GitHub account and navigate to your application's repository

Click on the "Settings" tab

Select "Deploy keys" in the sidebar

Click the "Add deploy key" button

Add new Deploy key:

Set the "Title" field to "LoginFromDeployEnvironment" (or any memorable name)
Paste the contents of the public key you copied earlier into "Key" field
Click the "Add key" button

Configure Firewall Access for SSH and HTTP

Allow SSH and HTTP traffic through the firewall:

sudo ufw allow OpenSSH
sudo ufw allow 80
sudo ufw enable

Setup the Project

You must have NodeJS, NPM, and pm2 installed on your Deployment Environment. You can install these with:

sudo apt install npm
sudo npm install -g pm2

To configure your development environment:

Login to your Deployment Environment as the circleuser user
Clone the project source code:

git clone https://github.com/acunetix-test/testwebapp.git (replace as necessary in the format https://github.com/your_user_name/your_application_name.git)

Start up your Node app using pm2 to register the process:

pm2 start ~/testwebapp/app.js

Create a "deploy.sh" file:

touch ~/deploy.sh
chmod +x ~/deploy.sh
nano ~/deploy.sh

Add the following lines to your deploy.sh file:

#!/bin/bash

#replace this with the path of your project on the VPS

cd ~/testwebapp

#pull from the branch

git pull origin main

pm2 restart ~/testwebapp/app.js

Configure CircleCI to Integrate with Github

Setup the CircleCI Project

Go to your list of projects and click on the "SetUp Project" button for the project you wish to work with - in this example, your project is called "testwebapp"

Click the "Use Existing Config" button (you have already created a config.yml in the repository)

Click the "Start Building" button (this will use the config.yml from your repository); this will immediately trigger the first build and send you to the pipeline page; this initial build will fail because you need to perform some additional steps

Configure SSH Key for CircleCI to connect to the Deployment Environment

From your application's pipeline page, click the "Project Settings" button

Click the "SSH Keys" menu item

Click the "Add SSH Key" button

Enter the Hostname for your Deployment Environment (in this example testwebapp.acunetixexample.com)
Enter the Private Key which you copied from your Deployment Environment
Click the "Add SSH Key" button

Configure Environment Variables

From your application's pipeline page, click the "Project Settings" button

Click the "Environment Variables" menu item

Click the "Add Environment Variable" button

Add an environment variable for the "circleuser" user you created earlier in the Deployment Environment:

Set the "Name" field to "USERNAME"
Set the "Value" field to "circleuser"
Click the "Add Environment Variable" button

Add an environment variable for the IP Address or the hostname of your Deployment Environment; in this example the hostname is "testwebapp.acunetixexample.com":

Set the "Name" field to "HOSTNAME"
Set the "Value" field to "testwebapp.acunetixexample.com"
Click the "Add Environment Variable" button

Test Pipeline Workflow

The main test to check everything is working correctly is to simply make a change to the source code, commit the changes, and push the changes to GitHub. This will show up in your CircleCI pipeline page:

Integrate into Acunetix

Finally, you need to edit the deploy.sh file in your Deployment Environment to add instructions to trigger an Acunetix scan of your Web Application Target after every build.

Login to your Deployment Environment as the circleuser user
Edit the "deploy.sh" file:

nano ~/deploy.sh

Add the a curl line to your deploy.sh file to trigger the scan; the final file should look like this: