Probely Security Scanner

Probely Security Scanner Plugin

This plugin uses Probely to scan your web application for security vulnerabilities. It enables security testing in your CI/CD pipeline.

Probely is a Web Vulnerability Scanning suite for Agile Teams. It provides continuous scanning of your Web Applications and lets you efficiently manage the lifecycle of the vulnerabilities found. Some of its main features are:

  • Tests for more than 5000 vulnerabilities
  • Authenticated scanning
  • Tailored instructions on how to fix the vulnerabilities (including snippets of code)
  • API for every single feature
  • Jira and Slack integration
  • PCI-DSS and OWASP compliance reports
  • Designed for developers, easy to use, easy to understand.
  • Re-test vulnerabilities, define custom headers, multiple users, CVSS score, scheduling, and more.

Installing the plugin

Installing and setting up the plugin will take you less than 5 minutes.

  1. Open Jenkins and click on Manage Jenkins

Manage Jenkins

  1. Click on Manage Plugins

Manage Plugins

  1. Click on the Available tab

Available

  1. On the Filter search box, enter probely
  2. Select the Probely Security Scanner plugin
  3. Click on Download now and install after restart
  4. After Jenkins restarts, the plugin will be installed. Continue reading to setup the required Probely API key.

Generating an API key

Before using the plugin, you first need to create an API key for Jenkins to be able to start a scan with Probely.

On Probely Standard Version

  1. Go to https://app.probely.com and log in
  2. Select a target from the drop-down list
  3. Go to the Settings page
  4. Click on the Integrations tab
  5. Write a name for the API Key. Since we want this API Key for Jenkins, we name it Jenkins
  6. Click on Generate New Key

Creating an API key

After the API key is created, please take note of the Target ID and API key values. They will be required to configure the Plugin credentials later on.

On Probely Enterprise Version

  1. Go to https://plus.probely.app/ and log in
  2. Go to the Target tab and click on the target
  3. Click on the Settings button
  4. Click on the Integrations tab
  5. Write a name for the API Key. Since we want this API Key for Jenkins, we name it Jenkins
  6. Click on Generate New Key

Creating an API key

After the API key is created, please take note of the Target ID and API key values. They will be required to configure the Plugin credentials later on.

Configuring the plugin

The plugin can be used both in a Freestyle or a in a Pipeline project. We will describe how to use the plugin in both project types.

Configuring credentials

  1. Click on Credentials
  2. Click on the down arrow near (global) to enable the dropdown menu and choose Add credentials

Add Credentials

  1. On the Kind dropdown menu, choose Secret text
  2. Enter the API key in the Secret textbox
  3. Enter a value for the credentials in the ID textbox, for example probely-test-site
  4. Enter an optional Description and click OK

Add Secret

Using the plugin in a Freestyle project

Freestyle Jenkins projects have been traditionally used to create pipeline-like setups by chaining build steps together. To enable Probely in a Freestyle project, the following steps may be used.

  1. Click on New Item

New Item

  1. Enter your project name, choose Freestyle Project and click OK

Freestyle Project

  1. Add Probely scan step

We assume that all required steps have been properly configured, such as checking out from your SCM, testing, among others.

  1. Add the Target ID, as defined in the Generating an API key step.
  2. Select the right credentials, which were configured in Configuring credentials. If the connection to Probely's API is working correctly, and the credentials are valid, you should see the message "Credentials verified successfully".
  3. Set additional scan options, if needed. Some examples: waiting for the scan to finish before moving on to the next step, and failing the build if vulnerabilities are found.
  4. When all steps are properly configured, click on Save

Probely step

Using the plugin in a Pipeline project

Pipeline projects are the new way to create build/test/deploy (and more) pipelines in Jenkins. Pipelines are defined in a Jenkinfile, which can be configured in an older imperative syntax, or in a more modern declarative syntax. We describe how to use Probely using a declarative Jenkinsfile to build a simple build/test/scan Pipeline.

  1. Click on New Item

New Item

  1. Enter your project name, choose Pipeline Project and click OK

Pipeline

  1. Create a Jenkinsfile

We assume that the step to check out source code from your SCM is properly configured. The following Jenkinsfile may be used as an example to add Probely to your pipeline. It should be placed in the root of your source code repository. This pipeline consists of an hypothetical Java project, built with Gradle, with two stages: one running unit tests and the other launching a scan with Probely. Note that the targetId and credentialsId value refer to the credentials configured previously.

pipeline {
    agent {
        docker {
            image 'maven:3-alpine' 
        }
    }
    stages {
        stage('Unit tests') { 
            steps {
                sh './gradlew check'
            }
        }
        stage('Scan with Probely') {
            steps {
                probelyScan targetId: '9nl6yy0TWWKv', credentialsId: 'probely-test-site', waitForScan: true, stopIfFailed: true, failThreshold: 'medium'
            }
         }
    }
}

Note: if you already have a mechanism to securely store credentials (such as HashiCorp's Vault), you can pass the API Key value directly to the plugin, using the authToken parameter, as opposed to credentialsId.

  1. Configure Jenkins to use the Jenkins file on your repository

Pipeline using Jenkinsfile

Building and Contributing

Contributions are very welcome. To build the plugin, be sure to install the Java Development Kit (JDK) 1.8 and Maven.

A minimal example on how to build and run the plugin on Ubuntu Linux follows. It will also build on macOS and Windows, provided you have the required packages installed. After running the commands below, you will have a test Jenkins instance running with the plugin.

sudo apt install openjdk-8-jdk maven
git clone https://github.com/jenkinsci/probely-security-plugin.git
cd probely-security-plugin
mvn clean verify
mvn hpi:run