Integrating Acunetix with Jenkins for CI/CD

This document outlines how to do the following:

  • Configure Jenkins for integration with Acunetix.
  • Add an Acunetix Scan as a Build Step in Jenkins.

Download Jenkins from https://jenkins.io/download/. It's compatible with Windows, Linux distributions, and Docker containers. For this guide,  Jenkins was installed on Windows using the jenkins-2.222.4.zip file downloaded from the LTS group of files; the specific URL used in testing was:

http://ftp-nyc.osuosl.org/pub/jenkins/windows-stable/jenkins-2.222.4.zip

Configure Jenkins to Integrate with Acunetix

Step 1: Install the Acunetix Plugin for Jenkins

  • In the Jenkins UI, click Manage Jenkins:

Jenkins

  • Click Manage Plugins:

  • Open the Available tab
  • Filter for acunetix and select it from the list of plugins
  • Click Install without restart to start installing the Acunetix plugin for Jenkins

  • Jenkins will automatically install necessary dependencies, including the Acunetix plugin. After installation, click Restart Jenkins when installation is complete and no jobs are running.

Step 2: Identify the Certificate Store path where you will install the Acunetix SSL Certificate into the Jenkins CA store

About Multiple JAVA Instances on the Jenkins Machine

Note that the JAVA instance running your Jenkins service is independent of any JDK instances defined in "Manage Jenkins => Global Tool Configuration." The JDK instances specified in Global Tool Configuration are utilized by Jenkins during build processes.

The Certificate Store path and file will be JAVA_HOME_FOLDER\lib\security\cacerts. Next, identify the JAVA_HOME_FOLDER for the JAVA binary running your Jenkins service, considering that your machine may have several installations of different JAVA versions.

Jenkins on Windows

  1. First, determine the JAVA installation running the Jenkins service by inspecting the "jenkins.xml" file within the Jenkins installation directory for the "executable" tag:

<executable>%BASE%\jre\bin\java</executable>

  1. The %BASE% variable refers to the Jenkins installation directory which is commonly C:\Program Files (x86)\Jenkins.

  1. To find the "java.home" directory for the JAVA instance running the Jenkins service, execute the following command:

"C:\Program Files (x86)\Jenkins\jre\bin\java" -XshowSettings:properties -version 2>&1 | find "java.home"

  1. Replace the JAVA path with the appropriate value obtained from the "executable" tag in the "jenkins.xml" file. The output will display the relevant "java.home" directory:

java.home = C:\Program Files (x86)\Jenkins\jre

  1. Since the Certificate Store file in use is JAV_HOME_FOLDER\lib\security\cacerts, we now know that in this example the Certificate Store file in use is C:\Program Files (x86)\Jenkins\jre\lib\security\cacerts.

Jenkins on Linux

  1. To identify the JAVA binary running your Jenkins service, run the following command in the command line:

ps -aux | grep jenkins

  1. You will receive output displaying all processes containing "jenkins" in the name or path, similar to the following:

jenkins  11044  0.0  0.4  21156  9060 ?        Ss   13:42   0:00 /lib/systemd/systemd --user

jenkins  11045  0.0  0.1 106264  2620 ?        S    13:42   0:00 (sd-pam)

jenkins  11058  0.0  0.0   5712   160 ?        S    13:42   0:00 /usr/bin/daemon --name=jenkins --inherit --env=JENKINS_HOME=/var/lib/jenkins --output=/var/log/jenkins/jenkins.log --pidfile=/var/run/jenkins/jenkins.pid -- /bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

jenkins  11059  3.1 14.0 2623256 287656 ?      Sl   13:42   0:22 /bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

root     11194  0.0  0.0   6048   888 pts/0    S+   13:54   0:00 grep jenkins

  1. In this case, observe that the java executable is "/bin/java" (your system may display a different configuration). However, it is highly likely a symlink to the actual binary installed by the JDK or JRE package, potentially forming a chain of symlinks.
  2. To determine the "java.home" directory for the JAVA instance running the Jenkins service, execute the following command:

/bin/java -XshowSettings:properties -version 2>&1 | grep "java.home"

  1. Replace "/bin/java" in the command with the specific path reported in the commands you executed as explained above. The output will then reveal the relevant "java.home" directory:

java.home = /usr/lib/jvm/java-11-openjdk-amd64

  1. Given that the Certificate Store file in use is JAV_HOME_FOLDER/lib/security/cacerts, in this example, we've determined that the Certificate Store file is /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts.

Step 3: Installing the Certificate into your JAVA keystore

Notes on installing your Certificate into the JAVA keystore:

Every installation of JAVA comes with a default keystore password, which is "changeit." Changing this password is usually unnecessary, and this document assumes you are aware of your JAVA keystore password.

For all the examples provided, you may need to modify paths to match the correct location of your JAVA keystore.

  1. Install the Certificate into your JAVA keystore:
  1. For Windows, run this from the command prompt:

C:\> keytool -import -trustcacerts -alias AcunetixCA -keystore "C:\Program Files (x86)\Jenkins\jre\lib\security\cacerts" -file C:\ProgramData\Acunetix\certs\ca.cer

  1. For Linux, run this from the command prompt:

[john@localhost] ~]$ keytool -import -trustcacerts -alias AcunetixCA -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/lib/security/cacerts -file /home/acunetix/.acunetix/data/certs/ca.cer

  1. Verify the successful installation of the certificate by executing the following command:
  1. On Windows:

C:\> keytool -list -keystore "C:\Program Files\Java\jre1.8.0_251\lib\security\cacerts" -alias AcunetixCA

  1. On Linux:

[john@localhost] ~]$ keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.252.b09-2.el8_1.x86_64/jre/lib/security/cacerts -alias AcunetixCA

  1. If the certificate installation was successful, you will observe details related to AcunetixCA. Here is an example:

C:\> keytool -list -keystore "c:\Program Files\Java\jre1.8.0_251\lib\security\cacerts" -alias AcunetixCA

Enter keystore password:

AcunetixCA, 15 May 2020, trustedCertEntry,

Certificate fingerprint (SHA-256): E6:01:86:F3:43:33:97:25:71:B9:4E:BC:D9:08:30:AC:18:75:F6:9A:E6:D0:09:1D:D0:90:DF:2A:1D:8E:97:BA

C:\>

Step 4: Configuring Jenkins to Acunetix Integration

  • Navigate to the Manage Jenkins and click Configure System. Scroll to the bottom of the page to get to the Acunetix Plugin configuration section

  • Ensure that the default API URL value is accurate. The Acunetix API URL field, by default, contains the value "localhost." It's crucial to use the hostname selected during installation when configuring the Acunetix URL inside Jenkins, as the Acunetix CA certificate is issued on that hostname. Refer to the "Connection Issues - Notes & Troubleshooting" section further down in this document for additional details.
  • If your Jenkins instance is deployed on a different host than your Acunetix instance, make sure Acunetix is reachable from hosts other than localhost. For Acunetix Online, use the URL online.acunetix.com or https://app.invicti.com/api/v1 (for EU-based customers: app-eu.invicti.com).
  • Click Add

  • In the Credentials Provider dialog:
  • Set the Kind field to Secret text
  • Set the Scope field to Global (Jenkins, nodes, items, all child items, etc)
  • Set the Secret field to the Acunetix API Key. To retrieve the Acunetix API Key, go to the Acunetix UI:
  • Go to your Profile page (you must be the administrator user), and scroll to the bottom
  • If you don't have an API Key yet, click on the "Generate New API Key" button
  • Click the "Copy" button to copy the API key to the clipboard
  • Go back to the Jenkins UI
  • Paste the API Key into the Secret field from the clipboard
  • Optionally, set the Description to something like Acunetix API Key
  • Click Add to complete this step.
  • Click Apply to save the Acunetix API Key settings – it is IMPORTANT that you click "Apply" BEFORE you use click Test Connection
  • Click Test Connection - you will see the message Connected Successfully

Jenkins credentials provider

Connection Issues - Notes & Troubleshooting

Correct CA Certificate Configuration

When configuring the Acunetix URL inside Jenkins:

  • The Acunetix CA certificate is issued on the hostname selected during installation. It is crucial to use the hostname selected during installation when configuring the Acunetix URL in Jenkins.
  • If you prefer to use the IP address, generate the Acunetix CA certificate again on the IP address by following this document: Acunetix Security Hardening Guide.
  • Using a hostname or an IP inconsistently may result in a "Connection refused" error in Jenkins.
  • For further investigation of the issue, follow the provided instructions for your operating system.

Windows

By default, Jenkins logs are located in %JENKINS_HOME%\jenkins.out and %JENKINS_HOME%\jenkins.err, unless customized in %JENKINS_HOME%\jenkins.xml.

Linux

By default, Jenkins logs are found in /var/log/jenkins/jenkins.log, unless customized in /etc/default/jenkins (for *.deb) or via /etc/sysconfig/jenkins (for *.rpm).

JAVA Certificate Store Error

If you encounter the following error:

Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

You may need to recreate the cacert file which JAVA uses during SSL exchanges (this example assumes Jenkins installed on Debian 11):

  • sudo mv /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/cacerts.disabled
  • echo -en "\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92" | sudo tee /etc/ssl/certs/java/cacerts >/dev/null
  • sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure

Add an Acunetix Scan as a Build Step in a Jenkins Job

To configure an Acunetix scan as a build step in a Jenkins job, follow these steps:

  • Navigate to the configuration of an existing Jenkins job or create a new job.
  • In the Build section, select Acunetix from the Add build step drop-down.
  • Configure the following options:
  • Scan Type: Choose a Scan Type for the scan. Scan types help reduce the scope of tests that the scanner runs during the scan.
  • Scan Target: Choose a Scan target that you wish to scan. Targets are obtained from Acunetix, and descriptions are provided to distinguish between targets with the same URL.
  • Fail build if threat level is: Choose the threat level at which to fail the Jenkins build based on the severity of the scan (High, Medium, or Low).
  • Stop the scan when build fails: Check this checkbox to abort the scan when the fail condition is met. This setting is enabled by default.
  • Generate Report: Choose a report to generate upon completion of the scan. The report will be accessible inside Acunetix, and a download link will be provided inside the Jenkins job console output.
  • Save the Jenkins job configuration.

This configuration allows you to integrate Acunetix scans as part of your Jenkins build process, providing automated security testing for your web applications. Adjust the settings based on your specific requirements and security policies.

 

« Back to the Acunetix Support Page