Tinfoil Security

Tinfoil Security Plugin

Allows you to run web security tests from the cloud using Tinfoil Security.


Global Configuration

If you navigate to 'Manage Jenkins > Configure System', you should see a section labeled Tinfoil Security. Here, you'll be able to set your Tinfoil API keys, as well as optionally set a hostname of your Tinfoil Security installation if you are using the Tinfoil appliance and proxy information if needed.


First though, you'll need to get your API keys. To generate a set of API keys, log in to your Tinfoil Security account and navigate to https://www.tinfoilsecurity.com/add_ons. From there, you can select the checkbox to enable the Tinfoil API and create an API key. Make sure you create a 'Full Access' API key pair, since 'Read-Only' API keys cannot start scans. Keep in mind you won't see the actual values of your API keys until you've clicked 'Save'.

Then hit the 'add' button on the credentials line and select the context you want to add the credentials to ('Jenkins' is the default)


Choose the 'Username with password' kind and fill in your Access Key as the username and Secret Key as the password.


Per-Project Configuration

For each project in your Jenkins installation. You can configure a Tinfoil Security Post-build Action which allows you to specify a Tinfoil Site ID for the site you want to scan at the end of your Jenkins build.

To find your Site ID, you need to log in to your Tinfoil Security account and navigate to the settings panel for the site you want to scan. Underneath the site name and URL, you should see the auto-generated Site ID for that site.


To use the Tinfoil Security plugin, just run a build. When Jenkins performs the Tinfoil Security post-build action, you will see a message like this in your console output telling you everything is working.

Tinfoil Security scan started! Log in to https://www.tinfoilsecurity.com/sites to view its progress.


For support, please e-mail us at support@tinfoilsecurity.com


3.0 (Jul 9 2019)

  • (plus) Added support for the Tinfoil Security API Scanner.

2.0 (Jul 30 2018)

1.6 (Mar 1 2017)

  • (plus)  Add the ability to configure a proxy to access the Tinfoil Security service.

1.5 (Jul 1 2016)

  • (plus) API Access Key and API Secret Key can include environment variables, specified as ${VARIABLE} in the text fields.

1.4 (Mar 2 2016)

  • (plus) Reduced minimum Jenkins version to 1.479

1.3 (Nov 17 2015)

  • (error) Fixed an issue where the plugin refused to connect to Tinfoil hosts that use self-signed certificates.
  • (plus) Tinfoil hosts can now be configured per-project as well as globally.

1.2 (Oct 16 2015)

  • (plus) API Keys can now be configured per-project as well as globally.

1.1 (Oct 6 2015)

  • (plus) Added a global configuration to allow you to specify a root URL for your Tinfoil installation (if you are using the Tinfoil appliance).

1.0 (Oct 2 2015)

  • First release!

  • (plus) Allow you to run an asynchronous Tinfoil Security scan on your site as a post build action.