The following plugin provides functionality available through Pipeline-compatible steps. Read more about how to integrate steps into your Pipeline in the Steps section of the Pipeline Syntax page.

For a list of other such plugins, see the Pipeline Steps Reference page.

IBM Security AppScan Standard Scanner

step([$class: 'AppScanStandardBuilder']): Run AppScan Standard

  • startingURL
    Insert the URL that you want AppScan Standard to start scanning from.

    Spiders will find the remaining URLs in the domain to be included for scanning.

    • Type: String
  • installation
    • Type: String
  • additionalCommands (optional)
    Provide additional and optional commands to run on AppScan Standard CLI.
    AppScanCMD exec|ex|e
    
            Parameters:
            [ /dest_scan|/dest|/d  ]
            [ /base_scan|/base|/b  ]
            [ /old_host|/ohost|/oh  ]
            [ /new_host|/nhost|/nh  ]
            [ /scan_template|/stemplate|/st  ]
            [ /login_file|/lfile|/lf  ]
            [ /multi_step_file|/mstepfile|/mf  ]
            [ /manual_explore_file|/mexplorefile|/mef  ]
            [ /policy_file|/pfile|/pf  ]
            [ /additional_domains|/adomains|/ad  ]
            [ /report_file|/rf  ]
            [ /report_type|/rt  {xml} ]
            [ /min_severity|/msev  {informational} ]
            [ /test_type|/tt  ]
            [ /report_template|/rtemplate|/rtm  {CliDefault} ]
    
            Flags:
            [ /verbose|/v {false} ]
            [ /scan_log|/sl {false} ]
            [ /explore_only|/eo {false} ]
            [ /test_only|/to {false} ]
            [ /multi_step|/mstep|/ms {false} ]
            [ /continue|/c {false} ]
            [ /merge_manual_explore_requests|/mmer {false} ]
            [ /include_responses|/ir {false} ]
            [ /open_proxy|/oprxy|/opr /listening_port|/lport|/lp  ]
    
            Creates new scan with base_scan's configuration
        saving dest_scan and creating report, if configured.
    
    AppScanCMD report|rep|r
    
            Parametrs:
            /base_scan|/base|/b
            /report_file|/rf
            /report_type|/rt
            [ /min_severity|/msev  {informational} ]
            [ /test_type|/tt  ]
            [ /report_template|/rtemplate|/rtm  {CliDefault} ]
    
            Flags:
            [ /verbose|/v {false} ]
    
            Creates a report for base_scan.
    
    AppScanCMD close_proxy|cprxy|cpr
    
            Closes AppScan proxy if was previously opened.
    
    More info. at:
    (9.0.3.2 User Guide) CLI - Chapter 15 - CLI - Page 315
    http://www-01.ibm.com/support/docview.wss?uid=swg27048015#2
    
    
    • Type: String
  • authScan (optional)
    Checking this option will allow AppScan Stardard to spider and scan a website using authentication, optimizing the results obtained in the report.

    If the website contains private information accessed only by logging in this option should be checked and credentials provided to increase dynamic security coverage.

    • Type: boolean
  • authScanPw (optional)
    Provide the password corresponding to the account's user name inserted above.

    Providing an account with higher authorization (such as Administrator) will increase the attack surface and therefore the scan coverage.

    • Type: String
  • authScanRadio (optional)
    Check "Recorded Login Sequence" if you have one for the website, this is, for the majority of the cases, the most reliable option for authenticated scanning.

    A login sequence may be recorded using AppScan Standard's GUI by following these steps:

    "Scan" > "Scan Configuration" > "Login Management" > "Record" > [ record your login...] > "I am logged in to the site" > "Details" (Tab) > "Export" (small icon on the right side).

    Check "Form Based Authentication" if you do not have a recorded login sequence, this option will require an user name and password combination and is not guaranteed to work for all scenarios.

    • Type: boolean
  • authScanUser (optional)
    Provide the user name of an account with access to the private functionalities of the website.

    Providing an account with higher authorization (such as Administrator) will increase the attack surface and therefore the scan coverage.

    • Type: String
  • generateReport (optional)
    Check this option if you want AppScan Standard to generate a report after scannning.

    The report is available in HTML and PDF.

    The HTML report generated is ready to be integrated with the HTML Publisher Plugin.

    • Type: boolean
  • htmlReport (optional)
    This report can be integrated with the HTML Publisher Plugin.
    • Type: boolean
  • includeURLS (optional)
    This is used to include URLs for scanning,

    Some URLs might not be found by AppScan Standard's spiders, include them to get the best possible coverage.

    • Type: String
  • pathRecordedLoginSequence (optional)
    Provide the full path to the recorded login sequence file (.login). More info. at: (9.0.3.2 User Guide) Login Management view - Chapter 4 - Configuring - Page 45 http://www-01.ibm.com/support/docview.wss?uid=swg27048015#2
    • Type: String
  • pdfReport (optional)
    A PDF report is generated.
    • Type: boolean
  • policyFile (optional)
    Provide the Path to a Test Policy File (.policy) to determine which type of flaws to scan for.

    A Test Policy File can be created following these steps:

    "Scan" > "Scan Configuration" > "Test Policy" > "Export".

    • Type: String
  • reportName (optional)
    Provide the name to save the report with.

    To configure HTML Publisher Plugin properly, the names in the configuration must match.

    • Type: String
  • verbose (optional)
    Selecting this option will enable AppScan Standards' verbose, printing the full scan output in Jenkins log.
    • Type: boolean

Was this page helpful?

Please submit your feedback about this page through this quick form.

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?

    


See existing feedback here.