Integration of Acunetix with GitHub for CI / CD

You can integrate your Acunetix Premium account with GitHub for issue management and CI / CD purposes. This article shows how to set up your GitHub account and how to integrate it into Acunetix Premium for CI / CD. If you want to know how to integrate GitHub for problem management, read the article Step by step configuration with GitHub.

Integrating Acunetix with GitHub for continuous integration and deployment is a 2-step process:

Step 1: Prepare your Acunetix target information

  • Log into your Acunetix installation.
  • Go to your list of targets and click on the target you want to work with.


  • Get the target ID from the URL.


  • Go to your Profile page and get your API key.

Step 2: Configure GitHub to integrate with Acunetix

    • Log into your GitHub account.
    • Go to your repository list and click on the repository you want to work with.


    • Click on the Actions button.


    • Click on the configure a workflow yourself connect.


    • This will require you to create a YML file; edit this file to have the following content:
name: CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger Acuneitx Scan
        run: |
          curl -k -i --request POST --url "https://online.acunetix.com/api/v1/scans" --header "X-Auth: [APIKEY]" --header "content-type: application/json" --data '{"profile_id":"11111111-1111-1111-1111-111111111111", "schedule":{"disable":false,"start_date":null,"time_sensitive":false}, "user_authorized_to_scan":"yes", "target_id":"[Target ID]"}'
  • Replace the 3 highlighted fields:
    • To pay the voucher X-Auth value, replace it [API KEY] text with the API key you retrieved in step 1
    • The suggested value for identity card is 11111111-1111-1111-1111-111111111111 – this default is for a full scan. If you want to specify a different scan profile, you can set one of the following values:
      • For the online version of Acunetix:
        • Full scan: 11111111-1111-1111-1111-111111111111
        • High risk vulnerabilities: 11111111-1111-1111-1111-111111111112
        • SQL injection vulnerabilities: 11111111-1111-1111-1111-111111111113
        • Weak passwords: 11111111-1111-1111-1111-111111111115
        • Cross-site scripting vulnerabilities: 11111111-1111-1111-1111-111111111116
        • Exploration only: 11111111-1111-1111-1111-111111111117
        • Malware analysis: 11111111-1111-1111-1111-111111111120
        • Complete web and network analysis: 11111111-1111-1111-1111-211111111111
        • Network analysis: 11111111-1111-1111-1111-211111111112
        • Network analysis (secure controls): 11111111-1111-1111-1111-211111111113
        • Fast network analysis: 11111111-1111-1111-1111-211111111114
      • For the on-premise version of Acunetix:
        • Full scan: 11111111-1111-1111-1111-111111111111
        • High risk: 11111111-1111-1111-1111-111111111112
        • SQL injection vulnerabilities: 11111111-1111-1111-1111-111111111113
        • Weak passwords: 11111111-1111-1111-1111-111111111115
        • Cross-site scripting vulnerabilities: 11111111-1111-1111-1111-111111111116
        • Exploration only: 11111111-1111-1111-1111-111111111117
        • High / medium risk: 11111111-1111-1111-1111-111111111119
        • Malware analysis: 11111111-1111-1111-1111-111111111120
      • You can also use the scan profile ID of any custom scan profile that you have created. You can retrieve the scan profile ID for custom scan profiles programmatically through the Acunetix API, or by going to the custom scan profile and checking the URL:


  • To pay the voucher target_id value, replace it [Target ID] text with the target ID that you retrieved in step 1.
  • Click on the Start validation button to save your settings.


  • Click on the Validate a new file button.


  • This will trigger a manual execution of the workflow and therefore add an immediate scan request to Acunetix:


  • All future commits will now also trigger a scan request to Acunetix.

Checking the analysis results

The Analyzes The page lists all the scans performed. By default, the most recently triggered scan will appear at the top of the list.

    • Click on the analysis triggered by your GitHub workflow to access the analysis summary.


    • The scan summary page gives you an overview of the vulnerability of your web application in the Scan information tongue.


    • For a more detailed list of the issues you need to work on, click the button Vulnerabilities tongue. In this example, the first item listed is a repertoire traversal vulnerability.


Resolve vulnerabilities

In the list of vulnerabilities, click on the vulnerability you want to investigate. This will provide more details about the vulnerability in question.

Important details of the vulnerability are listed in the sections:

  • The vulnerable URL and any vulnerable parameter passed to the URL
  • Details of the payload sent to the URL to expose the vulnerability
  • When available, additional details that constitute proof of achievement
  • A description of the vulnerability
  • A summary of the means by which an attacker can gain privileged access to the web application
  • A generic description of the correct way to write the source code to fix such vulnerabilities

If necessary, you can also extend the HTTP request and HTTP response sections. This will provide additional details about the HTML exchange between the web application and the scanner, allowing a developer to visualize the outcome of the vulnerability when it is successfully exploited.

Stay safe

Keep in mind that performing a single scan on your target isn’t enough, even if your web application is in code freeze. Over time, new vulnerabilities are discovered, hence the need to remain vigilant.

With this in mind, even if your web application is considered stable, you should still perform periodic scans outside your SDLC to ensure that your web application, which was previously considered secure, has not become vulnerable to certain newly discovered vulnerabilities.

An easy way to help protect your web applications is to set up recurring scanning. Any vulnerabilities discovered during any of the scheduled scans will be notified by email so that you can take action and remedy them.

THE AUTHOR

Kevin Attard Compagno
Technical writer

Kevin Attard Compagno is a technical writer working for Acunetix. A technical writer, translator and general IT enthusiast for over 30 years, Kevin led technical support teams and created training materials and other materials for internal technical staff.


Source link

Steven L. Nielsen

Leave a Reply

Your email address will not be published. Required fields are marked *