Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup

Version History

version 2.8

  •  Fixed a NullPointerException while using "IncludeURLs" in advanced section

version 2.7

  •  Fixed Jenkins required core
  •  Removed unnecessary dependency

version 2.6

  •  Fixed pipeline support and added respective how-to at the bottom of this page

Project Description

The purpose of this plugin is to allow Jenkins to perform dynamic analysis with IBM AppScan Standard with minimal configuration.


  • AppScan Standard installed with a valid license on a node (slave) or master.

Plugin Setup

To download and install AppScan Standard plugin go to Manage Jenkins and then to Manage Plugins

  • Select the Available Plugins tab
  • Search for AppScan Standard
  •   Image Added
  • Select and install. 

Plugin Configuration

  1. From the Jenkins homepage, click Manage Jenkins and then Configure System Global Tool Configuration
  2. Image Added
  3. Scroll down the page and locate the section titled AppScan SourceStandard
  4. Click Add AppScan SourceStandard
  5. Fill out the AppScan Source Standard form \
  6. Image Added
    1. AppScan Source Name: A name for this instance of AppScan SourceStandard. This is just to help manage environments that may have multiple installationsinstallation
    2. AppScan Source Standard Installation Directory: The path to the installation directory. Note: the default value is C:\Program Files (x86)\IBM\AppScanSource
  1. Scroll to the bottom and locate the section titled AppScan Source Configuration and fill out the form
    1. AppScan Enterprise Hostname/Domain Name: The host name of your AppScan Enterprise server
    2. Login Token File Path: This is the path to the login token generated above. Default path is C:\Users{user}\.ounce\ouncecli.token
    1. AppScanStandard\
  2. Click Save

Using the plugin

  1. Create a new job or access an existing job
  2. Select "Configure"
  3. Select "Add build step" and select "Run AppScan SourceStandard"
  4.   Image Added
  5. Complete the fields that appear:
  6. AppScan Source installation   Image Added
  7.  Installation will show the name you provided for the installation on the global configuration screen.
      1.  If you have not added an installation, please go the the Jenkins
      Configure System
      1. Global Tool Configuration link under Manage Jenkins.
      1.  If you only have one installation configured, the installation should be selected for you. If you plan to execute AppScan
      1. Standard on multiple Jenkins nodes, you may need to configure multiple installation paths.
    1. Disable scan should be unchecked if you wish the scan to run
    2. Accept SSL Errors should be checked if you have not created a trusted certificate for your AppScan Source installation. In an Enterprise environment, this should not be checked, since you should be using a trusted certificate.
    3. Scan Workspace Directory is where scan artifacts, like WAFL and staging files will be placed. Scan results (.ozasmt file) will also be placed in this directory.
    4. Application file should point to a PAF or SLN file to scan.
    5. Starting URL is the URL AppScan Standard will use to run the spiders on to find compile a list of URIs to scan.
    6. Authenticated Scan will scan the website logged in as the provided account, this will provide better scanning results.
      1. Recorded Login Sequence uses a recorded login sequence (you must generate it using AppScan Standard previously) to login.
      2. Form Based Authentication tries to login automatically using the credentials provided, this method may fail depending on your website's authentication configuration.
    7. Generate Report will generate and save a report with the vulnerabilities found by AppScan Standard.
      1. Report title the generated report will be saved using this title for the name.
      2. HTML Report saves the report in HTML format.
      3. PDF saves the report in PDF format.
        1. You can save both formats in one run.
    8. Advanced configurations that can be applied to the scan
      1.   Image Added
      2. Include URLs for Scanning allows you to manually include URLs for scanning in case the spiders miss them
      3. Test Policy File Path will use the specified test policy instead of the default options
      4. Additional Commands can be used to execute additional options available in the command line interface that are not available in plugin's graphical user interface.
    9. If you need help filling in any field, check the help description by pressing the ? icon
      1.   Image Added
  8. Click Save at the bottom
  9. Run the job.


This version of the plugin was tested with Jenkins 1.651.1 and IBM Security AppScan Source 9.0.3. Plugin should work with any version of AppScan Source 9.0.0 or newer.


Support automated publishing of scan results to AppScan Enterprise.


Execute application scans with IBM Security AppScan Source


Using Nodes to run AppScan Standard Plugin

If you have AppScan Standard installed on a node you must configure the build to run on that node so that the plugin can reach the installation.

First you must set that machine as a node (slave), you can follow this guide to do so.

Afterwards you can use the Node and Label Parameter Plugin, following the guide provided in its wiki achieving this goal should be straightforward.

Setting a parameter on the build would look something like the image below.

Image Added

Using HTML Publisher Plugin with AppScan Standard Plugin

To take full advantage of this plugin, you may want to combine it with HTML Publisher Plugin

If you already have HTML Publisher installed, this can be achieved in 2 simple steps:

  1. Select Generate a Report, insert a Report Title and check HTML Report
    1. Image Added
  2. In the Post-build Actions add Publish HTML reports, press Add and fill it in to match the settings from AppScan Standard Plugin (report title must match Index page[s])
    1. Image Added

When the build completes you will have a new item in the job's page, press it to access the report generated by AppScan Standard.

Image Added
The expected result should be similar to the image below if you allow CSS in Jenkins, if you only see text then CSS is most likely blocked (set by default), this link explains how to change that option.

If you change the CSS options, they won't be applied to the current report, you must re-run the build/scan.

Image Added

Running AppScan Standard in a Pipeline

  1. Navigate to "Pipeline Syntax" (follow a, b or c below)
    1. (create a pipeline job, save and it will be on the left side menu)
    2. (navigate to an existing pipeline job, it will be on the left side menu)
    3. (navigate to http://JENKINS-URL-HERE/pipeline-syntax/)
  2. In "Steps" find "step: General Build Step"
  3. in "Build Step" find "Run AppScan Standard"
  4. Configure AppScan Standard plugin as usual
  5. Press "Generate Pipeline Script" and copy the resulting script
  6. Paste the script in your pipeline inside a node

The end result would look like the image below.

Image Added

A resulting script looks something like the one below, you can use this one as your starting point.

stage ('Run AppScan Standard') {
    node {
        step([$class: 'AppScanStandardBuilder', additionalCommands: '', authScanPw: '',
             authScanUser: '', includeURLS: '', installation: 'AppScan Standard Default',
             pathRecordedLoginSequence: '', policyFile: '', reportName: '', startingURL: ''])

Scheduled Tasks for version 2.9

  • Implement Quality Gate support for AppScan Standard (fails build on % of errors)


Version 2.8 of this plugin is compatible with:

  • Jenkins 2.0 and newer
  • IBM Security AppScan Standard 9.0.3.x