Jenkins Integration
Integrate AIPTx security testing into your Jenkins CI/CD pipelines.Quick Start
Declarative Pipeline
Copy
pipeline {
agent any
environment {
AIPTX_API_KEY = credentials('aiptx-api-key')
}
stages {
stage('Security Scan') {
steps {
sh '''
curl -fsSL https://get.aiptx.io | sh
aiptx auth set-key $AIPTX_API_KEY
aiptx scan https://staging.example.com --mode quick --fail-on critical
'''
}
}
}
}
Setup
1. Install AIPTx CLI
Add to your Jenkins node or use the Docker image: Option A: Install CLICopy
sh 'curl -fsSL https://get.aiptx.io | sh'
Copy
agent {
docker {
image 'aiptx/cli:latest'
}
}
2. Configure Credentials
- Go to Manage Jenkins → Manage Credentials
- Add a new Secret text credential
- ID:
aiptx-api-key - Secret: Your AIPTx API key
3. Create Pipeline
Create aJenkinsfile in your repository:
Copy
pipeline {
agent any
environment {
AIPTX_API_KEY = credentials('aiptx-api-key')
TARGET_URL = 'https://staging.example.com'
}
stages {
stage('Build') {
steps {
sh 'npm ci && npm run build'
}
}
stage('Deploy to Staging') {
steps {
sh './deploy-staging.sh'
}
}
stage('Security Scan') {
steps {
script {
def scanResult = sh(
script: '''
aiptx auth set-key $AIPTX_API_KEY
aiptx scan $TARGET_URL \
--mode standard \
--output json \
--wait > scan-results.json
cat scan-results.json
''',
returnStdout: true
)
def results = readJSON text: scanResult
if (results.findings_count.critical > 0) {
error "Critical vulnerabilities found!"
}
}
}
post {
always {
archiveArtifacts artifacts: 'scan-results.json'
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'scan-report.html',
reportName: 'Security Report'
])
}
}
}
stage('Deploy to Production') {
when {
expression { currentBuild.result == null || currentBuild.result == 'SUCCESS' }
}
steps {
sh './deploy-production.sh'
}
}
}
}
Pipeline Examples
Scripted Pipeline
Copy
node {
def scanId
stage('Checkout') {
checkout scm
}
stage('Build & Deploy') {
sh 'npm ci && npm run build'
sh './deploy-staging.sh'
}
stage('Security Scan') {
withCredentials([string(credentialsId: 'aiptx-api-key', variable: 'AIPTX_API_KEY')]) {
sh 'aiptx auth set-key $AIPTX_API_KEY'
// Start scan
scanId = sh(
script: 'aiptx scan https://staging.example.com --mode standard --output json | jq -r .scan_id',
returnStdout: true
).trim()
echo "Scan started: ${scanId}"
// Wait for completion
sh "aiptx scan status ${scanId} --wait"
// Export results
sh "aiptx findings export --scan-id ${scanId} --format json > findings.json"
sh "aiptx report generate --scan-id ${scanId} --format html --output scan-report.html"
}
}
stage('Evaluate Results') {
def findings = readJSON file: 'findings.json'
def criticalCount = findings.findAll { it.severity == 'critical' }.size()
def highCount = findings.findAll { it.severity == 'high' }.size()
echo "Critical: ${criticalCount}, High: ${highCount}"
if (criticalCount > 0) {
error "Build failed: ${criticalCount} critical vulnerabilities found"
}
if (highCount > 3) {
unstable "Warning: ${highCount} high severity vulnerabilities found"
}
}
stage('Archive Results') {
archiveArtifacts artifacts: '*.json, *.html'
}
}
Parallel Scanning
Scan multiple targets simultaneously:Copy
pipeline {
agent any
environment {
AIPTX_API_KEY = credentials('aiptx-api-key')
}
stages {
stage('Security Scans') {
parallel {
stage('Web App') {
steps {
sh '''
aiptx auth set-key $AIPTX_API_KEY
aiptx scan https://app.example.com \
--mode quick \
--output json > webapp-results.json
'''
}
}
stage('API') {
steps {
sh '''
aiptx auth set-key $AIPTX_API_KEY
aiptx scan https://api.example.com \
--type api \
--openapi ./openapi.yaml \
--output json > api-results.json
'''
}
}
stage('Admin Portal') {
steps {
sh '''
aiptx auth set-key $AIPTX_API_KEY
aiptx scan https://admin.example.com \
--mode quick \
--output json > admin-results.json
'''
}
}
}
}
stage('Aggregate Results') {
steps {
script {
def totalCritical = 0
['webapp', 'api', 'admin'].each { target ->
def results = readJSON file: "${target}-results.json"
totalCritical += results.findings_count.critical
}
if (totalCritical > 0) {
error "Total critical vulnerabilities: ${totalCritical}"
}
}
}
}
}
}
Scheduled Deep Scan
Copy
pipeline {
agent any
triggers {
cron('H 2 * * 0') // Weekly on Sunday at 2 AM
}
environment {
AIPTX_API_KEY = credentials('aiptx-api-key')
}
stages {
stage('Deep Security Scan') {
steps {
timeout(time: 8, unit: 'HOURS') {
sh '''
aiptx auth set-key $AIPTX_API_KEY
aiptx scan https://app.example.com \
--mode deep \
--wait \
--output json > deep-scan-results.json
'''
}
}
}
stage('Generate Reports') {
steps {
sh '''
SCAN_ID=$(jq -r '.scan_id' deep-scan-results.json)
aiptx report generate --scan-id $SCAN_ID --format pdf --output security-report.pdf
aiptx report generate --scan-id $SCAN_ID --format csv --output findings.csv
'''
}
}
stage('Notify') {
steps {
emailext(
subject: "Weekly Security Scan Results",
body: '''
Weekly security scan completed.
See attached report for details.
''',
attachmentsPattern: '*.pdf,*.csv',
to: '[email protected]'
)
}
}
}
post {
always {
archiveArtifacts artifacts: '*.json, *.pdf, *.csv'
}
}
}
Jenkins Plugins
AIPTx Jenkins Plugin
For enhanced integration, use the AIPTx Jenkins plugin:Copy
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
aiptxScan(
target: 'https://staging.example.com',
mode: 'standard',
credentialsId: 'aiptx-api-key',
failOnSeverity: 'HIGH'
)
}
}
}
}
Plugin Features
- Native Jenkins credential integration
- Build status integration
- Trend graphs for findings over time
- Direct links to AIPTx dashboard
- SARIF report publishing
Security Best Practices
Credential Management
Always use Jenkins credentials, never hardcode API keys:Copy
// Good
withCredentials([string(credentialsId: 'aiptx-api-key', variable: 'AIPTX_API_KEY')]) {
sh 'aiptx auth set-key $AIPTX_API_KEY'
}
// Bad - Never do this
sh 'aiptx auth set-key sk_live_xxxxx'
Pipeline Security
Copy
pipeline {
options {
disableConcurrentBuilds()
timeout(time: 4, unit: 'HOURS')
}
stages {
stage('Security Scan') {
options {
retry(2)
}
steps {
// Scan steps
}
}
}
}
Troubleshooting
CLI not found
CLI not found
Ensure the CLI is installed on the Jenkins agent or use the Docker image:
Copy
agent {
docker { image 'aiptx/cli:latest' }
}
Timeout errors
Timeout errors
Increase the timeout for deep scans:
Copy
timeout(time: 8, unit: 'HOURS') {
sh 'aiptx scan ... --mode deep'
}
Permission denied
Permission denied
Verify the API key has correct permissions and the credential ID matches.