This plugin uses Probely to scan your web application for security vulnerabilities. It enables security testing in your CI/CD pipeline.
Probely is a Web Vulnerability Scanning suite for Agile Teams. It provides continuous scanning of your Web Applications and lets you efficiently manage the lifecycle of the vulnerabilities found. Some of its main features are:
- Tests for more than 5000 vulnerabilities
- Authenticated scanning
- Tailored instructions on how to fix the vulnerabilities (including snippets of code)
- API for every single feature
- Jira and Slack integration
- PCI-DSS and OWASP compliance reports
- Designed for developers, easy to use, easy to understand.
- Re-test vulnerabilities, define custom headers, multiple users, CVSS score, scheduling, and more.
Installing and setting up the plugin will take you less than 5 minutes.
- Open Jenkins and click on Manage Jenkins
- Click on Manage Plugins
- Click on the Available tab
- On the Filter search box, enter probely
- Select the Probely Security Scanner plugin
- Click on Download now and install after restart
- After Jenkins restarts, the plugin will be installed. Continue reading to setup the required Probely API key.
Before using the plugin, you first need to create an API key for Jenkins to be able to start a scan with Probely.
- Go to https://app.probely.com and log in
- Select a target from the drop-down list
- Go to the Settings page
- Click on the Integrations tab
- Write a name for the API Key. Since we want this API Key for Jenkins, we name it Jenkins
- Click on Generate New Key
After the API key is created, please take note of the Target ID
and API key values. They will be required to configure the Plugin credentials later on.
- Go to https://plus.probely.app/ and log in
- Go to the Target tab and click on the target
- Click on the Settings button
- Click on the Integrations tab
- Write a name for the API Key. Since we want this API Key for Jenkins, we name it Jenkins
- Click on Generate New Key
After the API key is created, please take note of the Target ID
and API key values. They will be required to configure the Plugin credentials later on.
The plugin can be used both in a Freestyle or a in a Pipeline project. We will describe how to use the plugin in both project types.
- Click on Credentials
- Click on the down arrow near (global) to enable the dropdown menu and choose Add credentials
- On the Kind dropdown menu, choose Secret text
- Enter the API key in the Secret textbox
- Enter a value for the credentials in the ID textbox, for example probely-test-site
- Enter an optional Description and click OK
Freestyle Jenkins projects have been traditionally used to create pipeline-like setups by chaining build steps together. To enable Probely in a Freestyle project, the following steps may be used.
- Click on New Item
- Enter your project name, choose Freestyle Project and click OK
- Add Probely scan step
We assume that all required steps have been properly configured, such as checking out from your SCM, testing, among others.
- Add the
Target ID
, as defined in the Generating an API key step. - Select the right credentials, which were configured in Configuring credentials. If the connection to Probely's API is working correctly, and the credentials are valid, you should see the message "Credentials verified successfully".
- Set additional scan options, if needed. Some examples: waiting for the scan to finish before moving on to the next step, and failing the build if vulnerabilities are found.
- When all steps are properly configured, click on Save
Pipeline projects are the new way to create build/test/deploy (and more) pipelines in Jenkins. Pipelines are defined in a Jenkinfile
, which can be configured in an older imperative syntax, or in a more modern declarative syntax. We describe how to use Probely using a declarative Jenkinsfile
to build a simple build/test/scan Pipeline.
- Click on New Item
- Enter your project name, choose Pipeline Project and click OK
- Create a Jenkinsfile
We assume that the step to check out source code from your SCM is properly configured. The following Jenkinsfile
may be used as an example to add Probely to your pipeline. It should be placed in the root of your source code repository. This pipeline consists of an hypothetical Java project, built with Gradle, with two stages: one running unit tests and the other launching a scan with Probely. Note that the targetId
and credentialsId
value refer to the credentials configured previously.
pipeline {
agent {
docker {
image 'maven:3-alpine'
}
}
stages {
stage('Unit tests') {
steps {
sh './gradlew check'
}
}
stage('Scan with Probely') {
steps {
probelyScan targetId: '9nl6yy0TWWKv', credentialsId: 'probely-test-site', waitForScan: true, stopIfFailed: true, failThreshold: 'medium'
}
}
}
}
Note: if you already have a mechanism to securely store credentials (such as HashiCorp's Vault), you can pass the API Key value directly to the plugin, using the
authToken
parameter, as opposed tocredentialsId
.
- Configure Jenkins to use the Jenkins file on your repository
Contributions are very welcome. To build the plugin, be sure to install the Java Development Kit (JDK) 1.8 and Maven.
A minimal example on how to build and run the plugin on Ubuntu Linux follows. It will also build on macOS and Windows, provided you have the required packages installed. After running the commands below, you will have a test Jenkins instance running with the plugin.
sudo apt install openjdk-11-jdk-headless maven
git clone https://github.com/jenkinsci/probely-security-plugin.git
cd probely-security-plugin
mvn clean verify
mvn hpi:run