Integrating Acunetix with CircleCI for CI/CD

This provides a step-by-step example for a basic Node.js web application, following these steps:

  1. Prepare Acunetix Target
  2. Prepare GitHub Repository
  3. Set Up Local Environment
  4. Configure Deployment Environment
  5. Integrate CircleCI with GitHub
  6. Test Pipeline Workflow
  7. Integrate with Acunetix

Prepare Acunetix Target

  1. Log in to Acunetix
  2. Create a Target for your web application - in this example, our web application will be at  http://testwebapp.acunetixexample.com:8080
  1. Enter the web application URL.
  2. Provide a description.
  3. Click 'Save'

  1. The screen will take you to the  'Target Settings' page where you retrieve the Target ID from the URL:

  1. Visit your Profile page and click 'Copy' to retrieve your API Key.

Prepare GitHub Repository

  1. Log in to your GitHub account with your username. We will be using 'acunetix-test' and the email address 'webmaster@acunetixexample.com.'
  2. On the 'Repositories' page, click the 'New' button:

  1. Create a new repository:
  1. Enter the repository name. Example: 'testwebapp'
  2. Provide a repository description
  3. Check 'Add a README file' to initialize the repository
  4. Click 'Create repository'

Set up Local Environment

In this example, the Local Environment is configured as an Ubuntu 20.04.1 Desktop setup, but most Linux or MacOS setups should suffice. Simply replace the platform-specific steps with those suitable for your environment. All the subsequent steps will be executed on your Local Environment machine.

Installation Prerequisites

  1. Update and upgrade your environment:

sudo apt update && sudo apt upgrade -y

  1. Install git for GitHub repository interaction:

sudo apt install git -y

  1. Install Node.js and npm:

sudo apt install npm -y

Write your Local Source Code

  1. Checkout your GitHub repository:

cd ~

git clone https://github.com/acunetix-test/testwebapp.git  # Substitute "acunetix-test" with your GitHub account name

  1. Create your basic web application with the file 'app.js' in the base folder

nano ~/testwebapp/app.js

  1. Add the following lines to your 'app.js' file:

const http = require('http');

http.createServer(function (req, res) {

  res.write('<html><head></head><body>');

  res.write('Welcome to the Test Web Application!'+'<br/>');

  res.write('===================================='+'<br/>');

  res.write('</body></html>');

  res.end();

}).listen(80, '0.0.0.0');

Add a CircleCI Workflow Configuration file to your source code

  1. Create the Configuration file:

mkdir ~/testwebapp/.circleci
nano ~/testwebapp/.circleci/config.yml

  1. Add the following lines to your config.yml file:

version: 2.1

# Define the jobs for testwebapp (checkout code and run a deploy.sh script)

jobs:

  pull-and-build:

    docker:

      - image: arvindr226/alpine-ssh

    steps:

      - checkout

      - run: ssh -oStrictHostKeyChecking=no -v $USERNAME@$HOSTNAME "./deploy.sh"

# Orchestrate the testwebapp job run sequence (runs only on commit to main branch)

workflows:

  version: 2

  build-project:

    jobs:

      - pull-and-build:

          filters:

            branches:

              only:

                - main

Commit the changes to the GitHub Repository

  1. Change to the correct directory:

cd ~/testwebapp

  1. Set your GitHub credentials and remote repository:

git config user.email "webmaster@acunetixexample.com"  # Substitute with your GitHub account email address

  1. Commit your code changes with:

cd ~/testwebapp
git add .
git commit -m
# first code commit
git push

Configure Deployment Environment

In this example, the Deployment Environment is configured as a Ubuntu 18.04 LTS Server on a cloud platform. Therefore, the hostname for your Deployment Environment should match that of your Target (in this example, testwebapp.acunetixexample.com).

Create a user for CircleCI to connect to the Deployment Environment

  1. Log in to your Deployment Environment as the root user. Create a user without a password for login:

useradd -m -d /home/circleuser -s /bin/bash circleuser

  1. Create an SSH key without a passphrase for the circleuser:

ssh-keygen -m PEM -t rsa -f ~/.ssh/circleuser

  1. Add the newly-created public key to /home/circleuser/.ssh/authorized_keys:

mkdir -p /home/circleuser/.ssh
printf "\n" >> /home/circleuser/.ssh/authorized_keys
cat ~/.ssh/circleuser.pub >> /home/circleuser/.ssh/authorized_keys

chown -R circleuser:circleuser /home/circleuser 

  1. Show the contents of the private key using:

cat ~/.ssh/circleuser

  1. Copy the contents of the private key; you will use this to allow your CircleCI to log in to your Deployment Environment.

Generate a set of SSH keys for the user to authenticate against GitHub

  1. Log in to your Deployment Environment as the circleuser user. Create new SSH keys without a passphrase:

ssh-keygen -t rsa

  1. Display the public key in the console and copy it for later:

cat ~/.ssh/id_rsa.pub

  1. Log in to your GitHub account, navigate to your application's repository, and click Settings:

  1. Select Deploy keys in the sidebar

  1. Click Add deploy key:

  1. Add new Deploy key:
  1. Set the Title field to "LoginFromDeployEnvironment" (or any memorable name)
  2. Paste the contents of the public key you copied earlier into Key field
  3. Click Add key

Configure Firewall Access for SSH and HTTP

Allow SSH and HTTP traffic through the firewall:

  • Log in to your Deployment Environment and run the following:

sudo ufw allow OpenSSH

sudo ufw allow 80

sudo ufw enable

Setup the Project

  1. Ensure Node.js, npm, and pm2 are installed on your Deployment Environment using:

sudo apt install npm

sudo npm install -g pm2

  1. To configure your development environment, follow these steps:
  1. Log in to your Deployment Environment as the circleuser and clone the project source code:

git clone https://github.com/acunetix-test/testwebapp.git # Replace with your repository URL in the following format: https://github.com/your_user_name/your_application_name.git

  1. Start up your Node app using pm2 to register the process:
  • pm2 start ~/testwebapp/app.js
  1. Create a "deploy.sh" file:
  • touch ~/deploy.sh
  • chmod +x ~/deploy.sh
  • nano ~/deploy.sh
  1. Add the following lines to your deploy.sh file:

#!/bin/bash

#replace this with the path of your project on the VPS

cd ~/testwebapp

#pull from the branch

git pull origin main

pm2 restart ~/testwebapp/app.js

Integrate CircleCI with GitHub

Setup the CircleCI Project

  • Login to your CircleCI account

  • Go to your list of projects and click on the "SetUp Project" button for the project you wish to work with - in this example, your project is called "testwebapp"

  • Click the "Use Existing Config" button (you have already created a config.yml in the repository)

  • Click the "Start Building" button (this will use the config.yml from your repository); this will immediately trigger the first build and send you to the pipeline page; this initial build will fail because you need to perform some additional steps

Configure SSH Key for CircleCI to connect to the Deployment Environment

  • From your application's pipeline page, click the "Project Settings" button

  • Click the "SSH Keys" menu item

  • Click the "Add SSH Key" button

  • Enter the Hostname for your Deployment Environment (in this example testwebapp.acunetixexample.com)
  • Enter the Private Key which you copied from your Deployment Environment
  • Click the "Add SSH Key" button

Configure Environment Variables

  • From your application's pipeline page, click the "Project Settings" button

  • Click the "Environment Variables" menu item

  • Click the "Add Environment Variable" button

  • Add an environment variable for the "circleuser" user you created earlier in the Deployment Environment:
  • Set the "Name" field to "USERNAME"
  • Set the "Value" field to "circleuser"
  • Click the "Add Environment Variable" button

  • Add an environment variable for the IP Address or the hostname of your Deployment Environment; in this example the hostname is "testwebapp.acunetixexample.com":
  • Set the "Name" field to "HOSTNAME"
  • Set the "Value" field to "testwebapp.acunetixexample.com"
  • Click the "Add Environment Variable" button

Test Pipeline Workflow

The main test to check everything is working correctly is to simply make a change to the source code, commit the changes, and push the changes to GitHub. This will show up in your CircleCI pipeline page:

Integrate with Acunetix

Finally, you need to edit the deploy.sh file in your Deployment Environment to add instructions to trigger an Acunetix scan of your Web Application Target after every build.

  • Login to your Deployment Environment as the circleuser user
  • Edit the "deploy.sh" file:
  • nano ~/deploy.sh
  • Add the curl line to your deploy.sh file to trigger the scan; the final file should look like this:

#!/bin/bash

#replace this with the path of your project on the VPS

cd ~/testwebapp

#pull from the branch

git pull origin main

pm2 restart ~/testwebapp/app.js

curl -k -i --request POST --url "https://online.acunetix.com/api/v1/scans" --header "X-Auth: [APIKEY]" --header "content-type: application/json" --data '{"profile_id":"11111111-1111-1111-1111-111111111111","schedule":{"disable":false,"start_date":null,"time_sensitive":false},"user_authorized_to_scan":"yes","target_id":"[Target ID]"}'

  • Replace the 3 highlighted fields:
  • To set the correct X-Auth value, replace the "[API KEY]" text with the API key you retrieved in the first section
  • The suggested value for profile_id is "11111111-1111-1111-1111-111111111111" - this default value is for a "Full Scan". If you wish to specify a different scan profile, you can set one of the following values:
  • For the Online version of Acunetix:
  • Full Scan: 11111111-1111-1111-1111-111111111111
  • High Risk Vulnerabilities: 11111111-1111-1111-1111-111111111112
  • SQL Injection Vulnerabilities: 11111111-1111-1111-1111-111111111113
  • Weak Passwords: 11111111-1111-1111-1111-111111111115
  • Cross-site Scripting Vulnerabilities: 11111111-1111-1111-1111-111111111116
  • Crawl Only: 11111111-1111-1111-1111-111111111117
  • Malware Scan: 11111111-1111-1111-1111-111111111120
  • Full Web and Network Scan: 11111111-1111-1111-1111-211111111111
  • Network Scan: 11111111-1111-1111-1111-211111111112
  • Network Scan (Safe Checks): 11111111-1111-1111-1111-211111111113
  • Network Scan Quick: 11111111-1111-1111-1111-211111111114
  • For the On-Premises version of Acunetix:
  • Full Scan: 11111111-1111-1111-1111-111111111111
  • High Risk: 11111111-1111-1111-1111-111111111112
  • SQL Injection Vulnerabilities: 11111111-1111-1111-1111-111111111113
  • Weak Passwords: 11111111-1111-1111-1111-111111111115
  • Cross-site Scripting Vulnerabilities: 11111111-1111-1111-1111-111111111116
  • Crawl Only: 11111111-1111-1111-1111-111111111117
  • High / Medium Risk: 11111111-1111-1111-1111-111111111119
  • Malware Scan: 11111111-1111-1111-1111-111111111120
  • ...or alternatively the scan profile id of any custom scan profiles you may have created; you can retrieve the scan profile id of custom scan profiles programmatically via the Acunetix API, or by navigating to the custom scan profile, and checking the URL:

  • To set the correct target_id value, replace the "[Target ID]" text with the target ID you retrieved in the first section
  • All future commits will now also trigger a scan request to Acunetix:

« Back to the Acunetix Support Page