In the world full of microservices, there are cosmic number of APIs that a single organization exposes for internal and external use. But with the advantage of APIs making microservices architecture possible, there also comes the downside of data abuse, exposure and security. More the APIs exposed, an organization becomes more and more vulnerable to API attacks such as the OWASPs Top 10. To solve this problem Traceable AI helps you by continuously securing your APIs, bringing you deep visibility, real-time protection, and threat analytics. Traceable AI combines distributed tracing and advanced context-based behavioral analytics to deliver modern API security to your cloud-native and API-based applications.
Supported Platforms: This plugin currently supports only macOS and Linux environments.
API Security Testing helps in finding vulnerabilities in very early stages, giving developers and Product security engineers more time and context to prioritize mitigation of vulnerabilities and build the resilient systems by scanning APIs for vulnerabilities by changing the data in the existing api specifications as required to introduce vulnerabilities.
This Jenkins plugin for AST allows to run AST scan as a job on local jenkins instance.
- Navigate to "Manage Jenkins > Manage Plugins > Available".
- Search for "Traceable AST".
- Install the plugin.
To get your API token go to https://app.traceable.ai/preferences/api-tokens and login to your Traceable account.
- Click on Generate API Token.
- In the dialog-box that appears, type in the name of the token and click on the Generate button.
- Copy the generated API token to be used in the next step.
For more detailed instructions to configure a scan and generate API tokens, see API Token Generation Guide.
- To add an AST scan job, create a new item in Jenkins as a Freestyle project.
- Add one of the Traceable AST build steps.
- Fill the configuration fields for the job.
- Click on Advanced button to fill additional configuration fields.
- Apply and Save.
Important: API Token is a required field. API Token is the same generated in Generate API Token.
Important: The Traceable AST report tab will only be visible if the Traceable AST - Generate Scan Result build step is added to your Jenkins job.
- Build a job, which will run a scan according to the configurations.
- After the completion of the job, go to the Job's page.
- the report of the scan will be available as the Traceable AST report tab.
Below are the four available Traceable AST build steps. You can add one or more of these to your Jenkins job as needed:
Initializes a new scan. Use this step if you want to set up scan parameters before running the scan in a separate step. Useful for advanced workflows where scan configuration and execution are decoupled.
Executes an AST scan using previously initialized configuration. Use this step after “Initialize Scan” if you have separated scan setup and execution.
Combines initialization and execution into a single step. Use this for most standard use cases where you want to configure and run the scan in one go.
Note: This step will block the Jenkins job until the scan completes or times out.
Fetches and displays the results of the completed scan in Jenkins. Add this step to your job if you want the Traceable AST report tab to appear after a scan completes.
| Option | Description |
|---|---|
| Scan Name (optional) | The name of the scan used to identify the scan |
| Test Environment (optional) | The environment from which we should analyze the traffic and generate tests. In most of the cases this will be the environment where functional test traffic is coming |
| API Token (Required) | API Token/Scan Token is the token you get from the Traceable Testing section while generating a new scan |
| Traceable CLI Binary Location (optional) | Provide the location of the Traceble AST cli binary, else the latest version will be downloaded from Traceable Artifactory |
| Plugins (optional) | List of comma seperated identified vulnerabilities, for which you want to test in your scan. (Refer to help in plugins field for the list of available plugins) |
| Include Url Regex (optional) | Include the URLs which matches the regular expression in the scan |
| Exclude Url Regex (optional) | Excludes the URLs matching this regular expression in the scan |
| Target Url (optional) | Specific url for which you want to run the scan |
| Traceable Server (optional) | Specify the Traceable's server you want to use for the scan |
| Idle Timeout (optional) | Continuous duration in which if no test suite is received scan is marked completed and stopped |
| Scan Timeout (optional) | Maximum time a scan is executed,scan is stopped after scan timeout |
| Scan Suite (optional) | Name of the Scan Suite to run the scan |
| Include All Endpoints (default asset selected) | All endpoints targeted during the scan |
| Include Endpoint Ids (commas separated) | Specific endpoints ids targeted during the scan |
| Include Endpoint Labels (commas separated) | Specific endpoint labels targeted during the scan |
| Include Service Ids (commas separated) | Specific service ids targeted during the scan |
| XAST Replay | Replay traffic type used during the scan |
| Open Api Spec Ids (commas separated) | List of open api spec file ids for generating traffic used during the scan |
| Postman Collection Ids (commas separated) | Postman collection file IDs for generating traffic during the scan |
| Postman Environment Ids (commas separated) | Postman environment file IDs with target URLs and traffic environments configuration used during the scan |
| Hook Names (optional) | Authentication hook to mutate request headers during scan |
- Only one type of asset (All Endpoints, Endpoint Ids, Service Ids, Endpoint label names) can be selected during scan
- Only one type of traffic (XAST Replay, Open Api Spec Ids, Postman Collection Ids, Postman Environment Ids) scan be used during scan. By default live traffic will be selected
- Provide the suite name to run the suite scan
Compile and run the plugin automated tests on Java 11 or Java 17 with:
mvn clean verify
Run the plugin inside a Jenkins environment with Maven HPI Plugin
mvn -Djetty.port=8080 hpi:run
Code coverage reporting is available as a maven target. Please improve code coverage with tests when you submit.
mvn -P enable-jacoco clean install jacoco:reportto report code coverage
Source code and pom file formatting is maintained by the spotless maven plugin.
Before submitting a pull request, confirm the formatting is correct with:
mvn spotless:apply