SUPPORT

Contact Support

OPEN A TICKET

Integrating Netsparker Enterprise with the Jenkins Plugin

Jenkins is an automation server that lets software developers build automation into their projects by supplying plugins. You can extend Jenkins's functionality by using the Netsparker Enterprise Scan Jenkins plugin.

This topic explains how to install and configure the new Netsparker Enterprise Scan Jenkins Plugin with Jenkins Freestyle Projects. You can use Netsparker Enterprise's advanced integration functionality with the plugin. So, you can launch automated scans and view reports of vulnerabilities in Jenkins. 

Also, you can use our plugin with Jenkins Pipeline Projects, by adding the plugin script to your pipeline which is generated by the Integration Script Generator in the Jenkins Integration window.

For further information, see What Systems Does Netsparker Integrate With?.

Downloading and Installing the Netsparker Enterprise Scan Jenkins Plugin

The plugin is packaged into an .hpi file called jenkins-plugin.hpi. This package has been tested and approved for Jenkins version 2.2+.

There are two ways to do this:

  • From the Plugin Manager in Jenkins
  • From Netsparker Enterprise
The first method is preferred as it is simply easier to complete.
How to Install the Jenkins Plugin from the Plugin Manager
  1. Open Jenkins.
  2. From the main menu, select Manage Jenkins > Manage Plugins
  3. From the Plugin Manager window, select the Available tab.
  4. Update the Available plugins list by selecting Check Now.
  5. Then in the Filter box, enter 'netsparker'. From the filtered results, select the checkbox next to the Netsparker Enterprise Scan plugin, then Download now and install after restart.
  6. In order to use the plugin, restart Jenkins. To restart, from a browser, navigate to:
    • [jenkins_url]/safeRestart (restarts Jenkins after the current builds have completed)
    • [jenkins_url]/restart (forces a restart and builds will not wait to complete)
How to Download and Install the Jenkins Plugin from Netsparker Enterprise
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Integrations New Integrations Jenkins
  3. From the Use Plugin tab, select Download the plugin and save the file to a location of your choice.
  4. Open Jenkins.
  5. From the main menu, select Manage Jenkins Manage Plugins
  6. Select the Advanced tab.
  7. From the Upload Plugin section, select Choose File

  1. Select the jenkins-plugin.hpi file you downloaded previously, then Open. The file is uploaded, and the focus of the window returns to the Advanced tab.

  1. In order to use the plugin, restart Jenkins. To restart, from a browser, navigate to:
  • [jenkins_url]/safeRestart (restarts Jenkins after the current builds have completed)
  • [jenkins_url]/restart (forces a restart and builds will not wait to complete)

Configuring the Jenkins Project

Each Jenkins project has its own build configuration. Each build configuration has its own build steps. The Netsparker Enterprise Scan must be added to a Jenkins project as a build step.

How to Configure the Jenkins Project
  1. Open Jenkins.
  2. From the main menu, select Manage Jenkins > Configure System
  3. In the Netsparker Enterprise section, enter your Netsparker Enterprise Server URL and API Token, and select Test Connection to verify access to Netsparker Enterprise. Then, select Save.
  4. Navigate to the Jenkins Home page.

  1. Select the project you want to add to the Netsparker Enterprise Scan's build step. 
  2. From the menu, select Configure. 
  3. Select the Build tab.

  1. From the Build section, select the Add build step drop-down, then Netsparker Enterprise Scan

  1. Complete the Scan Type, Website Deploy URL, and Profile Name settings.
  2. Select Save.

Using Pipeline Script in the Pipeline Project

If you want to use Pipeline projects in Jenkins you should use this method.

  1. Log in to Netsparker Enterprise.
  2. From the main menu, go to Integration New Integration Jenkins
  3. Select Use Integration Script tab.
  4. From the Integration Script Generator section, select the relevant Scan Settings:
    • From the Scan Type field, select an option
    • From the Website drop-down, select a website
    • From the Scan Profile drop-down, select a scan profile (this is not displayed if you select Full with Primary Profile as the Scan Type)
  1. Select Copy to clipboard () in the Pipeline Script field.
If you select the Override API Token for Jenkins Pipeline Script checkbox, make sure you add 'APITOKEN' into the Jenkins Pipeline project as a parameter.

Here is a sample Pipeline Script with Override API Token selected.

node{
    step([$class: 'NCScanBuilder', ncApiToken: '$APITOKEN', ncScanType: 'FullWithPrimaryProfile', ncWebsiteId: 'ed9f04a4-d530-43b5-f837-a88f03f0b886', ncDoNotFail: true, ncConfirmed: false, ncIgnoreFalsePositive: false, ncIgnoreRiskAccepted: false])
}

Here is a sample Declarative Pipeline, which you can use instead of the Scripted Pipeline if you prefer, with Override API Token selected.

pipeline {
   agent any
   stages {
       stage('Hello') {
           steps {
               echo 'Hello World'
           }
       }
       stage('Netsparker Scan'){
           steps{
                step([$class: 'NCScanBuilder', ncApiToken: '$APITOKEN', ncScanType: 'FullWithPrimaryProfile', ncWebsiteId: 'ed9f04a4-d530-43b5-f837-a88f03f0b886', ncDoNotFail: true, ncConfirmed: false, ncIgnoreFalsePositive: false, ncIgnoreRiskAccepted: false])
           }
       }
   }
}

For further information about Declarative vs Scripted Pipeline, see Declarative versus Scripted Pipeline syntax.

  1. Navigate to your Pipeline project settings in Jenkins and paste your script in the script area. The ServerUrl and ApiToken will be used from the global settings.

Here is some sample code, wrapping your script with 'node':

node{
    step([$class: 'NCScanBuilder', ncScanType: 'FullWithPrimaryProfile', ncWebsiteId: 'ed9f04a4-d530-43b5-f837-a88f03f0b886'])
}

Using Build Fail in Project

It is possible to configure a failure in the Jenkins build to stop the scan when a vulnerability severity is detected, for projects.

This can be configured using the Severity, Confirmed, False Positive, and Accepted Risk parameters.

  1. Scan Severity: With this option, you choose which severity will fail this build when found in a related scan. If you choose “DoNotFail”, the detected vulnerability does not affect your Jenkins build.

The options for Scan Severity are:

  • DoNotFail
  • Critical
  • High or above
  • Medium or above
  • Low or above
  • Best Practice or above
  1. Confirmed: With this option, you choose to fail this build when a vulnerability found in a related scan is confirmed.

For example, if you choose the Medium or above option from the Scan Severity drop-down and select the Is Confirmed checkbox, the build fails only if the vulnerability has medium or higher severity and that vulnerability is confirmed. Otherwise, the build continues.

  1. False Positive: With this option, you choose not to fail this Jenkins build when the scan identifies a vulnerability set as a False Positive.

For example, if you choose the Medium or above option from the Scan Severity drop-down and select the False Positive checkbox, the build will not fail if the vulnerability has medium or higher severity and that vulnerability is false positive. Otherwise, the build fails.

  1. Accepted Risk: With this option, you choose not to fail this Jenkins build when the scan identifies a vulnerability set as an Accepted Risk.

For example, if you choose the Medium or above option from the Scan Severity drop-down and select the Accepted Risk checkbox, the build will not fail if the vulnerability has medium or higher severity and that vulnerability is accepted risk. Otherwise, the build fails.

Viewing Netsparker Scan Results in Jenkins

When the build has been triggered, you can view the scan results in both Jenkins and Netsparker Enterprise.

For further information, see Scan Results Report.

How to View Netsparker Enterprise Reports in Jenkins
  1. Open Jenkins.
  2. From your project page, select a build from the Build History section. 
  3. From the menu, select Netsparker Enterprise Report.

Using Credentials

  1. Open Jenkins.
  2. From the main menu, select Manage Jenkins > Manage Credentials.
  3. On the Credentials page, select Jenkins, then Global Credentials (unrestricted).

  1. On the Global Credentials (unrestricted) page, select Add Credentials.
  2. Complete the fields as follows:
    • Kind:                Username with password
    • Username:         https://www.netsparkercloud.com/(Server Url)
    • Password:        Netsparker Enterprise API Token
    • Description:        This description will be shown when the Credentials dropdown is selected when configuring the job. Entering something meaningful here will help to distinguish this one from other credentials there.

Configuring the Jenkins Plugin to Support Multiple Netsparker Enterprise Users and Creating Folder Admin Permissions

Role-Based Strategy authorization is used to allow different users to have access to different folders.

This section follows closely the steps described in Cloudbees' Role-Based Authorization Strategy: Limit folder access article, explaining how to create folder-based admin roles. The end goal is that User1 will have access to Folder1 and User2 will have access to Folder2. Each user will be able to access only their projects in their folders using Netsparker Enterprise tokens.

  • Netsparker Enterprise Jenkins Plugin handles required the plugins’ installations, so no extra steps are needed there.
  • Here is an example to show how user access can be restricted to specific jobs at both the folder and subfolder level.
  • We created a main folder (Folder1) that contains two different subfolders Folder1/FolderA and Folder1/FolderB.
  • We also created two Freestyle projects, 'job1' and 'job2' in the folders Folder1/FolderA/job1 and Folder1/FolderB/job2 respectively.
  • The main folder name is 'Folder1'.
  • The sub-folder names are 'Folder1/FolderA' and 'Folder1/FolderB'.

After completing the configuration steps, it is good practice to ensure that users have the correct access to the correct folders as described above.

This table lists and explains the role settings used in this example.

User

Role

Pattern

admin

admin

Folder1

Folder1View

Folder1

Folder1_FolderA_user

Folder1FolderA

Folder1/FolderA.*

Folder1_FolderB_user

Folder1FolderB

Folder1/FolderB.*

There are three steps involved in completing the configuration:

  • Configuring Authorization and Managing Roles
  • Assigning Roles
  • Creating Credentials for Users

Configuring Authorization and Managing Roles

First, you need to configure authorization and roles in Jenkins.

How to Configure Authorization and Manage Roles
  1. Open Jenkins.
  2. Navigate to Manage Jenkins > Configure Global Security.

  1. From Authorization, select Role-Based Strategy.  Select Save.
  2. Go to Manage Jenkins > Manage and Assign Roles Manage Roles.

  1. Create the roles you need and save them.

Assigning Roles

Next, you need to assign the correct roles in Jenkins.

How to Assign Roles in Jenkins
  1. To assign roles, go to Manage Jenkins Manage and Assign Roles > Assign Roles.
  2. Set the roles as follows:
    • Global roles:
      • Folder1_user should have GlobalRead
      • Folder1FolderA_user should have GlobalRead
      • Folder1FolderB_user should have GlobalRead

    • Item roles:
      • Folder1_user should have Folder1
      • Folder1FolderA_user should have Folder1FolderA
      • Folder1FolderB_user should have Folder1FolderB

Creating Credentials for User1 and User2

Finally, you need to create credentials for each user.

How to Create Credentials for Users
  1. Open Jenkins.
  2. Navigate to Jenkins > Folder1 > FolderA.

  1. From the main menu, select Credentials.

  1. In the Credentials section, select Folder1 > FolderA.

  1. Select Global credentials (unrestricted) > Add Credentials.

  1. Complete the following fields:
  • Kind:                Username with password
  • Username:        https://www.netsparkercloud.com (Server Url)
  • Password:         User1’s Netsparker Enterprise Api Token
  • Description:        This description will be shown when the Credentials dropdown is selected when configuring the job. Entering something meaningful here will help to  distinguish this one from other credentials there.
  1. Select OK.

  1. Go to Jenkins > Folder1 > FolderB and repeat the steps for User2.

Configuring the Jenkins Plugin to Build Fail

In the Jenkins plugin there are 2 options:

  • Fail the build if scan contains: With this option, you choose which severity will fail this Jenkins build. If you choose “Do not fail the build”, the detected vulnerability will not affect your Jenkins build.
  • Stop the scan when build fails: With this option, if the build fails because of your selections, the scan will be canceled.

Netsparker

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo