Dastardly
Integrating Dastardly with Jenkins
-
Last updated: January 29, 2024
-
Read time: 2 Minutes
You can integrate Dastardly with Jenkins. This enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.
This page contains instructions on how to integrate Dastardly with a simple (example) Jenkins CI/CD pipeline. These instructions have been tested with Jenkins 2.361.2.
Jenkins server requirements
Your Jenkins server or build node must have Docker installed.
No plugins beyond the Jenkins defaults are required to run Dastardly in a Jenkins CI/CD pipeline.
For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.
Configuring the Jenkins pipeline
-
From the Jenkins Dashboard, click New Item.
-
Enter an item name for your pipeline, click Pipeline, then click OK.
-
You can give your pipeline a Description.
-
From the side menu, click Pipeline.
-
From the Definition drop down, select Pipeline script from SCM.
-
Configure the Pipeline section to point to a
Jenkinsfile
in your code repository. You must include any credentials used to access the repository. -
Click Save.
Creating the Jenkinsfile
Create a Jenkinsfile
in the corresponding location in your code repository. Add the following content to the file:
// Jenkinsfile (Declarative Pipeline) for integration of Dastardly, from Burp Suite.
pipeline {
agent any
stages {
stage ("Docker Pull Dastardly from Burp Suite container image") {
steps {
sh 'docker pull public.ecr.aws/portswigger/dastardly:latest'
}
}
stage ("Docker run Dastardly from Burp Suite Scan") {
steps {
cleanWs()
sh '''
docker run --user $(id -u) -v ${WORKSPACE}:${WORKSPACE}:rw \
-e BURP_START_URL=https://ginandjuice.shop/ \
-e BURP_REPORT_FILE_PATH=${WORKSPACE}/dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest
'''
}
}
}
post {
always {
junit testResults: 'dastardly-report.xml', skipPublishingChecks: true
}
}
}
Note
You can set BURP_START_URL
to a seed URL for any application you want to scan.
In this example, BURP_START_URL
is set to https://ginandjuice.shop/
- this is a deliberately vulnerable web application designed for testing web vulnerability scanners.
The next time your pipeline runs, Dastardly will scan the application you have set under BURP_START_URL
.
Viewing Dastardly scan results in Jenkins
-
Run your Jenkins pipeline containing Dastardly, and allow the scan to complete. Scans run for a maximum of ten minutes.
-
Access the scan results by clicking the most recent build under Build History.
-
Click Test Result. Here you can see any failed tests. See more details of a failed test by clicking it.
Remediation advice
You can see remediation advice for security issues that Dastardly finds under Stacktrace. This includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.
Evidence
You can see evidence for security issues that Dastardly finds under Stacktrace. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.