Connect APVISO with Jenkins

How APVISO Integrates with Jenkins

APVISO's Jenkins integration adds autonomous penetration testing as a first-class stage in your Jenkins pipelines. Whether you use declarative Jenkinsfiles, scripted pipelines, or freestyle projects, the APVISO plugin provides native build steps that trigger scans, wait for results, and gate builds based on security findings.

Pipeline Step: apvisoScan

The core of the integration is the apvisoScan pipeline step. In your Jenkinsfile, add a security testing stage that calls this step with your target URL, scan profile (quick, standard, or comprehensive), and a severity threshold. The step authenticates with your APVISO API key (stored as a Jenkins credential), triggers the scan, and waits for completion while reporting progress.

The step returns a result object containing the finding counts by severity, the overall pass/fail status based on your threshold, and a link to the full APVISO report. Your pipeline logic can use this result to decide the next action — proceed to deployment, mark the build as unstable, or fail the build entirely.

Build Quality Gates

The severity threshold configuration determines how APVISO findings affect your build status:

• Fail threshold: If any finding at or above this severity is discovered, the build is marked as FAILED. Typically set to Critical or High for production deployment pipelines.
• Unstable threshold: Findings at this severity mark the build as UNSTABLE (yellow) but do not prevent it from continuing. Useful for Medium findings that should be addressed but do not block deployment.
• Pass: Findings below both thresholds do not affect the build status. Low and informational findings are recorded for reference but do not impact the pipeline.

This three-tier model gives teams flexibility. A strict production pipeline might fail on any High+ finding, while a development pipeline might only warn on Critical. Teams can tighten thresholds gradually as they improve their security posture.

JUnit XML Integration

APVISO outputs scan results in JUnit XML format, a standard that Jenkins natively understands. Each finding becomes a test case in the XML report: passing (no vulnerability) or failing (vulnerability found), with the finding details as the failure message. Jenkins displays these results in the familiar Test Result trend chart, showing the number of security findings over time across builds.

This approach is powerful because it leverages Jenkins' existing test result infrastructure. Build comparison shows which findings are new vs. existing, trend charts show whether your security posture is improving, and email notifications can include security test results alongside unit test results.

PDF Report Archiving

For audit and compliance purposes, the APVISO plugin can archive the full PDF pentest report as a build artifact. Each build produces a timestamped security report that is stored alongside other build artifacts and accessible through the Jenkins UI. Over time, this creates an audit trail of security testing tied to specific code versions and deployments.

Parameterized and Dynamic Scanning

Jenkins' parameterized builds work naturally with the APVISO plugin. Define a TARGET_URL parameter that lets users or upstream jobs specify which environment to scan. This is essential for organizations that deploy to multiple environments (dev, staging, pre-production) and want to scan each one.

Combined with Jenkins Multibranch Pipelines, you can automatically scan feature branch deployments, catching security regressions before they are merged. The branch name or PR number can be used to construct the dynamic target URL for preview environments.

Integration with the Broader Jenkins Ecosystem

The APVISO plugin works with the broader Jenkins plugin ecosystem. Combine it with:

• Slack Notification Plugin: Send APVISO scan results to Slack channels alongside other build notifications
• Email Extension Plugin: Include security finding summaries in build notification emails
• Build Pipeline Plugin: Visualize the security scan stage in your deployment pipeline view
• Credentials Plugin: Securely manage APVISO API keys using Jenkins' credential store

For organizations with complex Jenkins setups — shared libraries, enterprise-wide pipeline templates, and centralized credential management — the APVISO plugin follows Jenkins conventions and integrates cleanly.

Freestyle and Blue Ocean Support

While Jenkinsfile-based pipelines are the recommended approach, the APVISO plugin also supports Jenkins Freestyle projects via a build step and post-build action. The Blue Ocean interface displays APVISO scan stages with their status and duration, and scan results are accessible through the Blue Ocean activity view. Regardless of which Jenkins interface your team prefers, APVISO security testing fits naturally into the workflow.