The Qualys API Security Plugin for Jenkins empowers you to assess API in your existing CI/CD processes with the help of Qualys API Security module. Integrating this assessment step will help you catch and eliminate API related flaws. This plugin supports pipeline as well as free-style projects.
How this plugin works
When the plugin step starts, it uploads your swagger file to Qualys API Security module. Qualys API Security module quickly analyzes it and responds with issues and Grade score. If you have configured any pass/fail criteria, the plugin evaluates the response against that. If it finds something is not matching your criteria, it will fail your build. Otherwise, your build job proceeds to next step (if any).
How to use this plugin
- A valid API Token generated using Qualys API Security registration page - https://qualysguard.qg3.apps.qualys.com/apisec-api/register.html
Where to use this plugin step
We recommend using this plugin step during "Build" phase of your job, right after you checkout your source code.
If you are using pipeline, you should go to "Pipeline Syntax", and select
qualysAPIStaticAssessment step. If you are using freestyle, you should add
Perform API Security Assessment with Qualys build step.
A form appears with several input fields. Now you are ready to configure the plugin.
Token and Swagger File Path
- Enter the token received after free registration in 'Your API Token' text area .
- If you need proxy to communicate to the Internet, set correct proxy settings.
- In "Swagger file path" field, provide path to your swagger/OpenAPI file relative to Jenkins' workspace directory for your project.
You can optionally fail the build based on score or issue severity.
- If you want to fail the build based on score, tick the checkbox for "Fail with score less than" and configure minimum score acceptable to you. If score is below your input value, plugin will fail the build.
- If you want to fail the build based on Security, OAS Violation or Data Validation, tick the appropriate checkbox and configure acceptable count of issues and the respective severity level. Fail the build if issue count is greater than the configured count for the selected severity level(or above).
Generate Pipeline Script (for pipeline project only)
If you are configuring pipeline project, click the
Generate Pipeline Script button. It will give you a command which you can copy and paste in your project's pipeline script.