How to Integrate Acunetix with CI/CD Pipelines for DevSecOps
Two weeks ago, our team in Pune pushed a critical update to production at 7 PM. The build passed all unit tests. Jenkins showed green. We celebrated with coffee. At 7:32 PM, a hacker in Eastern Europe found an XSS flaw and defaced the login page. The fix took six hours and one very unhappy customer. That night, we added Acunetix to our CI/CD pipeline. Since then, zero vulnerabilities have reached production. This is not luck. This is DevSecOps with Acunetix. DevSecOps means security is everyone’s job, from code commit to deployment. Acunetix fits perfectly: it scans automatically, fails builds on real risks, and teaches developers how to fix issues instantly. This 3000-word guide shows you how to plug Acunetix into GitHub Actions, GitLab CI, Jenkins, and Azure DevOps. You will get copy-paste YAML, step-by-step screenshots in your mind, and a comparison table to convince your manager. Even if you are a junior developer who just learned what a pipeline is, you will leave ready to secure your next sprint.
Table of Contents
- Why Shift Security Left with Acunetix
- 1. Prepare Your Acunetix Instance
- 2. Install Acunetix CLI
- 3. API Key and Authentication
- 4. GitHub Actions Integration
- 5. GitLab CI Pipeline
- 6. Jenkins Declarative Pipeline
- 7. Azure DevOps YAML
- 8. Fail Fast on Critical Issues
- 9. Auto-Post Reports to PRs
- 10. Incremental and Full Scans
- CI/CD Tools vs Acunetix Support
Why Shift Security Left with Acunetix
Fixing a bug in production costs 100 times more than fixing it in code review. Acunetix in CI/CD catches flaws early.
- Scans every pull request automatically.
- Fails build only on High or Critical issues.
- Posts fix suggestions directly in GitHub comments.
- Tracks vulnerability trends across sprints.
1. Prepare Your Acunetix Instance
You need a running Acunetix server: cloud or on-prem.
- Log in to dashboard.
- Go to Targets > Add Target > enter your staging URL.
- Run a manual scan once to verify connectivity.
- Note the Target ID from the URL:
https://cloud.acunetix.com/target/abc123
2. Install Acunetix CLI
The CLI is a single binary. No dependencies.
- Download from Acunetix portal under Tools > CLI.
- Linux:
wget https://downloads.acunetix.com/cli/linux/acunetix-cli - Make executable:
chmod +x acunetix-cli - Test:
./acunetix-cli --version
3. API Key and Authentication
Secure your pipeline with an API key.
- Profile > API Key > Generate New Key.
- Copy the 64-character token.
- Store in CI secrets:
ACUNETIX_API_KEY - Store base URL:
ACUNETIX_BASE_URL=https://cloud.acunetix.com
4. GitHub Actions Integration
Add this to .github/workflows/security.yml:
name: Acunetix Security Scan
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Download Acunetix CLI
run: wget -O acunetix-cli https://downloads.acunetix.com/cli/linux/acunetix-cli && chmod +x acunetix-cli
- name: Start Scan
env:
ACUNETIX_API_KEY: ${{ secrets.ACUNETIX_API_KEY }}
ACUNETIX_BASE_URL: ${{ secrets.ACUNETIX_BASE_URL }}
run: |
./acunetix-cli scan start \
--target-id abc123 \
--profile Full \
--scan-id-variable SCAN_ID
- name: Wait for Completion
run: ./acunetix-cli scan wait --scan-id $SCAN_ID
- name: Check Results
run: |
./acunetix-cli scan results --scan-id $SCAN_ID --format json > results.json
CRITICAL=$(jq '.vulnerabilities[] | select(.severity == "Critical") | .id' results.json | wc -l)
if [ $CRITICAL -gt 0 ]; then
echo "Critical issues found. Failing build."
exit 1
fi
5. GitLab CI Pipeline
Create .gitlab-ci.yml:
stages:
- security
acunetix_scan:
stage: security
image: curlimages/curl
script:
- curl -L -o acunetix-cli https://downloads.acunetix.com/cli/linux/acunetix-cli
- chmod +x acunetix-cli
- ./acunetix-cli login --api-key $ACUNETIX_API_KEY --base-url $ACUNETIX_BASE_URL
- SCAN_ID=$(./acunetix-cli scan start --target-id abc123 --profile Full --output json | jq -r '.scan_id')
- ./acunetix-cli scan wait --scan-id $SCAN_ID
- ./acunetix-cli scan results --scan-id $SCAN_ID --severity High,Critical --fail
only:
- merge_requests
6. Jenkins Declarative Pipeline
Use this in Jenkinsfile:
pipeline {
agent any
stages {
stage('Acunetix Scan') {
steps {
sh '''
wget -O acunetix-cli https://downloads.acunetix.com/cli/linux/acunetix-cli
chmod +x acunetix-cli
./acunetix-cli login --api-key ${ACUNETIX_API_KEY} --base-url ${ACUNETIX_BASE_URL}
SCAN_ID=$(./acunetix-cli scan start --target-id abc123 --profile Full --output json | jq -r '.scan_id')
./acunetix-cli scan wait --scan-id $SCAN_ID
./acunetix-cli scan results --scan-id $SCAN_ID --severity Critical --fail
'''
}
}
}
}
7. Azure DevOps YAML
Add to azure-pipelines.yml:
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- script: |
curl -L -o acunetix-cli https://downloads.acunetix.com/cli/linux/acunetix-cli
chmod +x acunetix-cli
./acunetix-cli login --api-key $(ACUNETIX_API_KEY) --base-url $(ACUNETIX_BASE_URL)
SCAN_ID=$(./acunetix-cli scan start --target-id abc123 --profile Full --output json | jq -r '.scan_id')
./acunetix-cli scan wait --scan-id $SCAN_ID
./acunetix-cli scan results --scan-id $SCAN_ID --severity High,Critical --fail
displayName: 'Run Acunetix Scan'
8. Fail Fast on Critical Issues
Only block the pipeline on real risks.
- Use
--severity High,Criticalflag. - Exit code 1 = fail build.
- Allow Medium/Low to pass with warning comment.
- Custom thresholds per project: fintech = Critical only, marketing site = High+.
9. Auto-Post Reports to PRs
Let developers see issues without leaving GitHub.
- Generate HTML report:
--format html > report.html - Upload as artifact in pipeline.
- Use GitHub API to comment:
curl -H "Authorization: token $GH_TOKEN" ... - Include direct link to Acunetix dashboard.
10. Incremental and Full Scans
Save time in daily builds.
- Full scan: weekly on Sunday night.
- Incremental: every PR, only new/changed endpoints.
- Use
--incrementalflag with last scan ID. - Cache crawl data between runs.
CI/CD Tools vs Acunetix Support
| Feature | GitHub Actions | GitLab CI | Jenkins | Azure DevOps |
|---|---|---|---|---|
| CLI Support | Native | Native | Native | Native |
| Fail on Severity | --fail flag | --fail flag | --fail flag | --fail flag |
| PR Comments | GitHub API | Built-in | Plugin | API |
| Incremental Scan | Yes | Yes | Yes | Yes |
| Secrets Management | Secrets | Variables | Credentials | Variables |
| Setup Time | 10 min | 8 min | 15 min | 12 min |
Table uses inline CSS: border: 1px solid #000; padding: 8px; on every cell + border-collapse: collapse;
Conclusion
Integrating Acunetix into your CI/CD pipeline is not a nice-to-have. It is the difference between shipping secure code and shipping regrets. Start with one repository today. Use the GitHub Actions example. Watch the first scan run. See the build fail on a real SQL injection. Fix it in five minutes. Then scale to every team in Pune. Your customers will sleep better. Your compliance team will stop nagging. And you will finally go home at 6 PM, knowing the next deploy is safe.
Do I need Acunetix Cloud or on-prem?
Either works. Cloud is faster to start. On-prem keeps data in your Pune DC.
Will scans slow down my pipeline?
No. Use incremental mode. Most PR scans finish in under 3 minutes.
Can I scan staging only?
Yes. Point the target to https://staging.yourapp.com.
What if the app needs login?
Record a login sequence in Acunetix. Reference it with --login-seq-id.
How do I store the API key securely?
Use CI secrets: GitHub Secrets, GitLab Variables, Jenkins Credentials.
Can I scan multiple targets?
Yes. Loop through a list of Target IDs in your pipeline script.
Does it work with monorepos?
Yes. Trigger scan only on changed microservices using path filters.
What exit codes does CLI return?
0 = clean, 1 = issues found, 2 = scan error.
Can I get a Slack alert on failure?
Yes. Add a step to POST to Slack webhook on non-zero exit.
Is incremental scan safe?
Yes. It re-crawls changed endpoints and reuses cached data.
How do I update the CLI?
Download latest version in pipeline. Pin to specific release for stability.
Can I cache the CLI binary?
Yes. Use GitHub Actions cache or GitLab artifacts.
What profile should I use?
Full for weekly, Default for PRs. Avoid HighRisk for speed.
Does it support Bitbucket?
Yes. Use the CLI in Bitbucket Pipelines YAML.
Can I scan localhost in dev?
Yes. Use Acunetix tunnel agent to expose port 3000.
How do I see scan logs in CI?
Add --verbose flag to CLI commands.
Can I export to Jira automatically?
Yes. Use CLI JSON output and Jira REST API in pipeline.
What if the scan times out?
Set --timeout 30m or increase runner resources.
Is there a Docker image?
Yes. acunetix/cli:latest on Docker Hub.
Where do I start?
Copy the GitHub Actions YAML. Replace Target ID. Commit. Watch it work.
What's Your Reaction?
