Automation Domination: ThreadFix and Jenkins Integration


Brandon Spruth is a long-time ThreadFix contributor and he recently completed a Jenkins plugin for ThreadFix that he’ll be unveiling at the OWASP Chicago Suburbs meeting on June 25th 2014 at 6pm.

This is really exciting because:

  • I love seeing the application security process automated as much as possible. Software security folks are outnumbered – by developers, by applications, by you-name-it – and to be effective, us software security folks have to take as much of the straightforward stuff off our plates as possible so we can focus on the really hard stuff.
  • I love seeing security better integrated into the development process, and a huge part of achieving this is building security directly into the tools that us developers are already using. In fact, that’s exactly why ThreadFix was built with defect tracker integrations and IDE plugins because this integrates security tasks directly into the developer’s regular workflow.  The ThreadFix Jenkins plugin makes it easier than ever to get security into the continuous integration process.

Here’s a sneak preview of how it works:


The Global Configuration lets you set up where the ThreadFix command-line client JAR, the ThreadFix server URL, and the ThreadFix API keys are located.


The Project Configuration then lets you link your Jenkins project with a ThreadFix application and indicate the artifacts you’d like to upload.  As a result, any security testing analysis you do during your Jenkins build (i.e. static analysis, dynamic analysis, vulnerable component checking) can then automatically be shipped off to your ThreadFix server. To quote Ina Garten, television’s Barefoot Contessa, “how easy is that?”

Once the final Jenkins plugin is released, we’ll update this post and the ThreadFix wiki with more information on how to do the downloading, the installation and how to best use the ThreadFix Jenkins plugin.

[Update: Here is the plugin page and here is the GitHub repository with the source code.]

So many thanks to Brandon! This is great stuff and the ThreadFix community really benefits from your fierce determination to achieve “Automation Domination.”  If you’re in the Chicago area, please head over to the OWASP meeting on June 25th.  You can also see some of the other work Brandon has done automating the integration of security and development tools here at his AppSecUSA 2013 talk titled “Automation Domination.” (download the slides from his talk here)  Thanks again, Brandon!  Here’s to more automating of the application security process!  We will get there some day.

About Dan Cornell

A globally recognized application security expert and the creator of ThreadFix, Dan Cornell holds 20 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd, the parent company of ThreadFix, he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.