Dastardly

Integrating Dastardly with Jenkins

Last updated: January 29, 2024
Read time: 2 Minutes

You can integrate Dastardly with Jenkins. This enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.

This page contains instructions on how to integrate Dastardly with a simple (example) Jenkins CI/CD pipeline. These instructions have been tested with Jenkins 2.361.2.

Jenkins server requirements

Your Jenkins server or build node must have Docker installed.

No plugins beyond the Jenkins defaults are required to run Dastardly in a Jenkins CI/CD pipeline.

For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.

Configuring the Jenkins pipeline

From the Jenkins Dashboard, click New Item.
Enter an item name for your pipeline, click Pipeline, then click OK.
You can give your pipeline a Description.
From the side menu, click Pipeline.
From the Definition drop down, select Pipeline script from SCM.
Configure the Pipeline section to point to a Jenkinsfile in your code repository. You must include any credentials used to access the repository.
Click Save.

Creating the Jenkinsfile

Create a Jenkinsfile in the corresponding location in your code repository. Add the following content to the file:

// Jenkinsfile (Declarative Pipeline) for integration of Dastardly, from Burp Suite.

pipeline {
    agent any
    stages {
        stage ("Docker Pull Dastardly from Burp Suite container image") {
            steps {
                sh 'docker pull public.ecr.aws/portswigger/dastardly:latest'
            }
        }
        stage ("Docker run Dastardly from Burp Suite Scan") {
            steps {
                cleanWs()
                sh '''
                    docker run --user $(id -u) -v ${WORKSPACE}:${WORKSPACE}:rw \
                    -e BURP_START_URL=https://ginandjuice.shop/ \
                    -e BURP_REPORT_FILE_PATH=${WORKSPACE}/dastardly-report.xml \
                    public.ecr.aws/portswigger/dastardly:latest
                '''
            }
        }
    }
    post {
        always {
            junit testResults: 'dastardly-report.xml', skipPublishingChecks: true
        }
    }
}

Note

You can set BURP_START_URL to a seed URL for any application you want to scan.

In this example, BURP_START_URL is set to https://ginandjuice.shop/ - this is a deliberately vulnerable web application designed for testing web vulnerability scanners.

The next time your pipeline runs, Dastardly will scan the application you have set under BURP_START_URL.

Viewing Dastardly scan results in Jenkins

Run your Jenkins pipeline containing Dastardly, and allow the scan to complete. Scans run for a maximum of ten minutes.
Access the scan results by clicking the most recent build under Build History.
Click Test Result. Here you can see any failed tests. See more details of a failed test by clicking it.

Remediation advice

You can see remediation advice for security issues that Dastardly finds under Stacktrace. This includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.

Evidence

You can see evidence for security issues that Dastardly finds under Stacktrace. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.