In this post I’m going to share with you how our teams implement automated vulnerability scanning for our web apps using Arachni and integrating that in to our Continuous Delivery pipeline.

In this example we’re going to show how we can do this using a Jenkins server, but theoretically anything CI server that can run Docker containers should suffice.

 

Why Docker?
Docker allows you to securely run applications on your host in isolated containers without any worry about configuration for the applications.

 

Running Arachni
If you’ve never heard of Arachni before, it’s a web application security scanner framework which has a suite of tools to play with it including a web frontend.

If you want to poke around and see what it does from a high level perspective you can easily boot up a container running this command:

docker run -d --name arachni -p 9292:9292 ahannigan/docker-arachni bin/arachni_web -o 0.0.0.0

Note, default username and password is: admin@admin.admin / administrator

Visiting http://localhost:9292 should take you to the Arachni UI where you can read the https://github.com/Arachni/arachni-ui-web/wiki for more details

But in our CI pipeline we won’t be running the web frontend at all; instead we’ll have it report issues to Jira instead by extracting the JSON output from running Arachni from the command line.

And basically we can stick this in our Jenkinsfile:

  stage('Arachni') {
    sh '''
        mkdir -p $PWD/reports $PWD/artifacts;
        docker run \
            -v $PWD/reports:/arachni/reports ahannigan/docker-arachni \
            bin/arachni http://staging.example.io --report-save-path=reports/example.io.afr;
        docker run --name=arachni_report  \
            -v $PWD/reports:/arachni/reports ahannigan/docker-arachni \
            bin/arachni_reporter reports/example.io.afr --reporter=html:outfile=reports/example-io-report.html.zip;
        docker cp arachni_report:/arachni/reports/example-io-report.html.zip $PWD/artifacts;
        docker rm arachni_report;
    '''
    archiveArtifacts artifacts: 'artifacts/**', fingerprint: true
  }

First we make a directory for us to mount into our containers. Then we run a scan and safe the details. Finally we generate a HTML report available for our artifacts so anyone with access to the Jenkins dashboard can view the report.

 

We can also generate a JSON report and handle with a custom program to do certain things like syncing issues across project management systems, but I’ll save that for next time.

 

Stay lean and secure, happy scanning.