Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

With this plugin you got a very simple integration of the Arachni Security Scanner in your Jenkins jobs. The REST API of the Arachni Security Scanner is used for communication, so a running Arachni REST Server is a prerequisite.

Features:

  • Starts a new scan on an Arachni Server
  • Monitors the scan status every 5 seconds
  • Downloads the HTML scan report from Arachni Server
  • Scope of the scan is configurable
  • Supports Basic Authentication
  • Pipeline compatibility

Configuration and usage

At first configure the URL of your Arachni REST Server under the Jenkins system configuration page.

If your Arachni Server is secured with Basic Authentication then select the credentials from credentials plugin.

In your job configuration select the Arachni Scanner build step and enter the URL of the site you want to scan. Leave the Checks field blank (or enter a *) to run all checks or specify a comma separated list with the checks to use. Sometimes a scan can takes very long, so you have the option to specify a scope.

To get the full control over the scan configuration, check the 'Use configuration file' and enter the name of your own configuration file. In the file you can use the full parameter set of Arachni. The settings from the file will be merged with the field settings. If the same parameter is specified in fields and configuration file, the setting from the file wins.

See the Wiki page of the Arachni Security Scanner for more information.

When the job is running the plugin writes the scan status every 5 seconds to the console log until the scan ends. If you abort the job then the scan on the Arachni Server will be also aborted. At last the HTML scan report will be downloaded from the server and stored in the workspace under the filename arachni-report-html.zip.

Pipeline

Below you find a simple pipeline script to configure the Arachni Scanner Plugin.

pipeline {
   agent any
   stages {
      stage('Scanning') {
         steps {
            arachniScanner checks: '*', scope: [pageLimit: 3], url: 'http://foo:8080', userConfig: [filename: 'myConfiguration.json'], format: 'json'
         }
      }
   }
}

 

Release history:
  • 1.0.0

    • Credentials plugin is used to store username and password. Values from older configurations will be migrated.
  • 0.9.7

    • Supports more report formats (html, json, xml, yaml)
  • 0.9.6

    • Bugfix: Fix a problem for Jenkins versions newer than 2.107.1 (JEP-200)
  • 0.9.5

    • Support configuration files
  • 0.9.4

    • Support to specify checks
    • Support pipeline
  • No labels

3 Comments

  1. Unknown User (gigos85)

    Hi,

    The plugin is easy to install and configure but I have few questions/suggestions (except if I missed something) :

    No specific parameter are sent to the Arachni REST server (except "Page limit" and "Exclude path pattern"), so I guess the default profile is used (https://github.com/Arachni/arachni/wiki/REST-API#perform-a-new-scan). As you can see, there is no check in the default profile and no vulnerability can be find on the target web application : the web application is only crawled.

    Can we specify a profile (.json format) with this plugin ? It's important to have the possibility to disable/enable some features likes plugin (auto-login plugin or script-login), checks and plateform fingerprinting for example.

    Another thing. This plugin allow users to download the html report after the scan is finished. Can we also have the possibility to download the afr report (afr for Arachni Framework Report). The afr is only available with Arachni2.0 dev (nighlty) and it allow to upload it to Arachni web interface.

    Any idea for a pipeline as code compatibility ?

     

    Regards,

    1. Unknown User (irissmann)

      Hi,

      the new version 0.9.4 supports pipeline compatibility and you can specify checks. New features will follow soon. Feedback and ideas are welcome.

    2. Unknown User (irissmann)

      Hi, 

      since version 0.9.5 you  can specify a configuration file in .json format with the whole bandwith of Arachni parameters.

      Best regards,
      Ingo