Integrating Acunetix with Jenkins for CI/CD

You can download Jenkins from https://jenkins.io/download/. Jenkins works on platforms such as Windows, Linux distributions, and in Docker containers. The rest of this document assumes that Jenkins was installed on Windows using the "jenkins-2.222.4.zip" file downloaded from the LTS group of files; the specific URL used in testing was:

http://ftp-nyc.osuosl.org/pub/jenkins/windows-stable/jenkins-2.222.4.zip

This document will describe how to:

  • Configure Jenkins to Integrate with Acunetix
  • Add an Acunetix Scan as a Build Step in a Jenkins Job

Configure Jenkins to Integrate with Acunetix

Step 1: Install the Acunetix Plugin for Jenkins

Jenkins

  • In the Jenkins UI, navigate to "Manage Jenkins"

  • Click on "Manage Plugins"
  • Go to the "Available" tab.

  • Filter for "acunetix" and select "Acunetix" from the list of plugins
  • Click on the "Install without restart" button to start installing the Acunetix plugin for Jenkins.

  • Jenkins will automatically install any required dependencies, as well as the Acunetix plugin. When complete, click on "Restart Jenkins when installation is complete and no jobs are running".

Step 2: Find the Certificate Store path where you will need to Install the Acunetix SSL Certificate into the Jenkins CA store

🔍 About Multiple JAVA Instances on the Jenkins Machine

Be aware that the JAVA instance that is running your Jenkins service bears no relation to any of the JDK instances defined in "Manage Jenkins => Global Tool Configuration". The JDK instances defined in the Global Tool Configuration are used by Jenkins during build processes.

The Certificate Store path and file will be JAV_HOME_FOLDER\lib\security\cacerts. The next step, therefore, is to identify the JAVA_HOME_FOLDER for the JAVA binary running your jenkins service – keep in mind that your machine may have several installations of different versions of JAVA.

Jenkins on Windows

  1. First we need to understand which JAVA installation is running the Jenkins service. You can get this by examining the "jenkins.xml" file inside the Jenkins installation directory for the "executable" tag:

<executable>%BASE%\jre\bin\java</executable>

The %BASE% variable refers to the Jenkins installation directory. Typically this would be "C:\Program Files (x86)\Jenkins".

  1. To find the "java.home" directory for the JAVA instance running the jenkins service, run the following command:

"C:\Program Files (x86)\Jenkins\jre\bin\java" -XshowSettings:properties -version 2>&1 | find "java.home"

... replacing the JAVA path with the appropriate value resulting from the "executable" tag in the "jenkins.xml" file. The output will show you the relevant "java.home" directory:

java.home = C:\Program Files (x86)\Jenkins\jre

  1. Since the Certificate Store file in use is JAV_HOME_FOLDER\lib\security\cacerts, we now know that in this example the Certificate Store file in use is C:\Program Files (x86)\Jenkins\jre\lib\security\cacerts.

Jenkins on Linux

  1. You first need to understand which JAVA binary is running your Jenkins service. From the command line, run the following:

ps -aux | grep jenkins

You should receive output showing all processes including "jenkins" in the name or path; something like this:

jenkins  11044  0.0  0.4  21156  9060 ?        Ss   13:42   0:00 /lib/systemd/systemd --user

jenkins  11045  0.0  0.1 106264  2620 ?        S    13:42   0:00 (sd-pam)

jenkins  11058  0.0  0.0   5712   160 ?        S    13:42   0:00 /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

jenkins  11059  3.1 14.0 2623256 287656 ?      Sl   13:42   0:22 /bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

root     11194  0.0  0.0   6048   888 pts/0    S+   13:54   0:00 grep jenkins

In this case, we can see that the java executable is "/bin/java" (your system may show some different configuration) – but it's almost certainly a symlink to the real binary installed by the JDK or JRE package – or even possibly a chain of symlinks.

  1. To find the "java.home" directory for the JAVA instance running the jenkins service, run the following command:

/bin/java -XshowSettings:properties -version 2>&1 | grep "java.home"

...replacing "/bin/java" with whatever was reported in the commands you ran as explained above. The output will show you the relevant "java.home" directory:

java.home = /usr/lib/jvm/java-11-openjdk-amd64

  1. Since the Certificate Store file in use is JAV_HOME_FOLDER/lib/security/cacerts, we now know that in this example the Certificate Store file in use is /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts.

Step 3: Installing the Certificate into your JAVA keystore

🔍 Notes about installing your Certificate into the JAVA keystore

  • Every installation of JAVA has a default password on the keystore of "changeit". It is typically unnecessary to change this, and this document will assume that you know your JAVA keystore password.
  • In all the examples listed here, you may need to adjust paths for the correct location of your JAVA keystore.

  1. Install the Certificate into your JAVA keystore:
  1. For Windows, run this from the command prompt:

C:\> keytool -import -trustcacerts -alias AcunetixCA -keystore "C:\Program Files (x86)\Jenkins\jre\lib\security\cacerts" -file C:\ProgramData\Acunetix\certs\ca.cer

  1. For Linux, run this from the command prompt:

[john@localhost] ~]$ keytool -import -trustcacerts -alias AcunetixCA -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/lib/security/cacerts -file /home/acunetix/.acunetix/data/certs/ca.cer

  1. Check that you have successfully installed the certificate:
  1. On Windows:

C:\> keytool -list -keystore "C:\Program Files\Java\jre1.8.0_251\lib\security\cacerts" -alias AcunetixCA

  1. On Linux:

[john@localhost] ~]$ keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/lib/security/cacerts -alias AcunetixCA

If the certificate was successfully installed, you will see the AcunetixCA details, for example:

C:\> keytool -list -keystore "c:\Program Files\Java\jre1.8.0_251\lib\security\cacerts" -alias AcunetixCA

Enter keystore password:

AcunetixCA, 15 May 2020, trustedCertEntry,

Certificate fingerprint (SHA-256): E6:01:86:F3:43:33:97:25:71:B9:4E:BC:D9:08:30:AC:18:75:F6:9A:E6:D0:09:1D:D0:90:DF:2A:1D:8E:97:BA

C:\>

Step 4: Configuring Jenkins to Acunetix Integration

  • Go to the "Manage Jenkins" page.

  • Click on "Configure System" and scroll to the bottom of the page to get to the Acunetix Plugin configuration section.

  • Ensure that the default API URL value is correct. By default, the Acunetix API URL field contains the value localhost.
  • The Acunetix CA certificate is issued on the host name selected during installation. For that reason, when configuring the Acunetix URL inside Jenkins, it is important to use the host name selected during installation. For more information, see the section entitled "Connection Issues - Notes & Troubleshooting" further on in this document.
  • If your Jenkins instance is deployed on a different host than your Acunetix instance, you need to make Acunetix reachable from hosts other than localhost
  • If you are using Acunetix Online, you should use https://online.acunetix.com/api/v1
  • Click on the "Add => Jenkins" button

Jenkins credentials provider

  • In the Credentials Provider dialog:
  • Set the "Kind" field to "Secret text"
  • Set the "Scope" field to "Global (Jenkins, nodes, items, all child items, etc)"
  • Set the "Secret" field to the Acunetix API Key. To retrieve the Acunetix API Key, go to the Acunetix UI:
  • Go to your Profile page (you must be the administrator user), and scroll to the bottom
  • If you don't have an API Key yet, click on the "Generate New API Key" button
  • Click the "Copy" button to copy the API key to the clipboard
  • Go back to the Jenkins UI
  • Paste the API Key into the "Secret" field from the clipboard
  • Optionally, set the "Description" to something like "Acunetix API Key"
  • Click the "Add" button to complete this step.
  • Click the "Apply" button to save the Acunetix API Key settings – it is IMPORTANT that you click "Apply" BEFORE you use the "Test Connection" button
  • Click the "Test Connection" button - you will see the message "Connected Successfully"

Connection Issues - Notes & Troubleshooting

The Acunetix CA certificate is issued on the host name selected during installation. For that reason, when configuring the Acunetix URL inside Jenkins, it is important to use the host name selected during installation. If you want to use the IP Address, you will need to generate the Acunetix CA certificate again on the IP address. This can be done by following this document: https://www.acunetix.com/blog/docs/acunetix-security-hardening-guide/

If you use a hostname instead of an IP or the other way around, Jenkins will respond with a "Connection refused" error. To further investigate the encountered issue, follow these instructions for your OS.

Windows

By default, you can find Jenkins logs in %JENKINS_HOME%\jenkins.out and %JENKINS_HOME%\jenkins.err, unless customized in %JENKINS_HOME%\jenkins.xml.

Linux

By default, you can find Jenkins logs in /var/log/jenkins/jenkins.log, unless customized in /etc/default/jenkins (for *.deb) or via /etc/sysconfig/jenkins (for *.rpm).

Add an Acunetix Scan as a Build Step in a Jenkins Job

To add an Acunetix scan as a build step in a Jenkins job, navigate to the configuration of an existing job or create a new job. In the Build step, select Acunetix from the Add build step drop-down.

You will see the following options:

  • Scan Type: Choose a Scan Type for the scan. Scan types are used to reduce the scope of tests that the scanner runs during the scan.
  • Scan Target: Choose a Scan target that you wish to scan. Scan targets are obtained from Acunetix with the exception of targets requiring manual intervention. The listed targets contain part of their descriptions to help you distinguish between targets that have the same URL.
  • Fail build if threat level is: Choose at which threat level to fail the Jenkins build based upon the threat level of the scan (High severity, Medium severity, or Low severity)
  • Stop the scan when build fails: Check this checkbox if you would like to abort the scan when the fail condition in "Fail build if threat level is" is met. This setting is enabled by default.
  • Generate Report: Choose a report to generate upon completion of the scan. The report will be accessible inside of Acunetix and a download link will be provided inside the job console output.

 

« Back to the Acunetix Support Page