Get involved in the Burp challenge for opportunities to test your skills and win swag  –   Challenge me

DASTARDLY

Integrating Dastardly with Jenkins

  • Last updated: November 4, 2022

  • Read time: 2 Minutes

You can integrate Dastardly with Jenkins. This enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.

This page contains instructions on how to integrate Dastardly with a simple (example) Jenkins CI/CD pipeline. These instructions have been tested with Jenkins 2.361.2.

Jenkins server requirements

Your Jenkins server or build node must have Docker installed.

No plugins beyond the Jenkins defaults are required to run Dastardly in a Jenkins CI/CD pipeline.

For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.

Configuring the Jenkins pipeline

  1. From the Jenkins Dashboard, click New Item.

  2. Enter an item name for your pipeline, click Pipeline, then click OK.

    Creating a new pipeline in Jenkins.
  3. You can give your pipeline a Description.

  4. From the side menu, click Pipeline.

  5. From the Definition drop down, select Pipeline script from SCM.

  6. Configure the Pipeline section to point to a Jenkinsfile in your code repository. You must include any credentials used to access the repository.

  7. Click Save.

    Configuring a pipeline in Jenkins.

Creating the Jenkinsfile

Create a Jenkinsfile in the corresponding location in your code repository. Add the following content to the file:

// Jenkinsfile (Declarative Pipeline) for integration of Dastardly, from Burp Suite. pipeline { agent any stages { stage ("Docker Pull Dastardly from Burp Suite container image") { steps { sh 'docker pull public.ecr.aws/portswigger/dastardly:latest' } } stage ("Docker run Dastardly from Burp Suite Scan") { steps { cleanWs() sh ''' docker run --user $(id -u) -v ${WORKSPACE}:${WORKSPACE}:rw \ -e DASTARDLY_TARGET_URL=https://ginandjuice.shop/ \ -e DASTARDLY_OUTPUT_FILE=${WORKSPACE}/dastardly-report.xml \ public.ecr.aws/portswigger/dastardly:latest ''' } } } post { always { junit testResults: 'dastardly-report.xml', skipPublishingChecks: true } } }

Note

You can set DASTARDLY_TARGET_URL to a seed URL for any application you want to scan.

In this example, DASTARDLY_TARGET_URL is set to https://ginandjuice.shop/ - this is a deliberately vulnerable web application designed for testing web vulnerability scanners.

The next time your pipeline runs, Dastardly will scan the application you have set under DASTARDLY_TARGET_URL.

Viewing Dastardly scan results in Jenkins

  1. Run your Jenkins pipeline containing Dastardly, and allow the scan to complete. Scans run for a maximum of ten minutes.

  2. Access the scan results by clicking the most recent build under Build History.

  3. Click Test Result. Here you can see any failed tests. See more details of a failed test by clicking it.

Remediation advice

You can see remediation advice for security issues that Dastardly finds under Stacktrace. This includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.

Dastardly security issue remediation advice, shown in Jenkins.
Remediation advice for a security issue found by Dastardly.

Evidence

You can see evidence for security issues that Dastardly finds under Stacktrace. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.

Dastardly security issue evidence, shown in Jenkins.
Evidence for a security issue found by Dastardly.

Was this article helpful?