Fully Automated API Security Testing in CI/CD
Test your APIs using Levo AI test plans or app-based testing and get the results in real time.
In order to run this plugin you will need to:
- Have a Levo AI account
- Have a Levo CLI Authorization Key
- For test plan mode: Have a Levo AI test plan
- For app-based mode: Have an application configured in Levo AI
- Go to "Manage Jenkins" > "Manage Plugins" > "Available".
- Search for "Levo".
- Install the plugin.
After adding a Levo Test Plan step into your build, you'll need to configure some values.
The plugin supports two execution modes:
- Test Plan LRN : Run tests using a pre-configured test plan
- Application Name : Dynamically create and run tests based on application configuration
For credentials this plugin is relying on credentials-plugin. You'll need to add a credential for the Levo API key.
- Click on the "Add" button next to the credentials dropdown.
- Select your datastore.
- Select "Levo Credential" as credential type.
- Enter your CLI Authorization Key.
- Enter your organization id that you can get from the Organizations Tab in your user settings.
- Save and select the new credential.
This mode uses a pre-configured test plan from your Levo organization.
Configuration:
- Test Plan LRN: The test plan identifier. Go to the Test Plan section of your Levo organization and click the "Copy LRN" button on the selected test plan.
- Target: The target URL to test
- Test Users: Comma-separated test user names (optional). If not specified, uses default user. Test users must be configured in Levo SaaS first.
- Extra CLI Arguments: Additional command-line arguments (optional)
- Generate JUnit Reports: Check to generate JUnit XML reports
This mode automatically creates and runs tests based on your application configuration. No need to manually create test plans!
Required Configuration:
- Application Name: The name of your application in Levo AI
- Environment: The environment to test (e.g., "production", "staging")
Optional Filtering:
- Categories: Comma-separated test categories (default: BOLA,BFLA,INJECTION,SSRF)
- HTTP Methods: Comma-separated methods to include (e.g., GET,POST,PUT)
- Exclude Methods: Comma-separated methods to exclude (e.g., DELETE,OPTIONS)
- Endpoint Pattern: Regex pattern to include specific endpoints (e.g.,
.*api.*) - Exclude Endpoint Pattern: Regex pattern to exclude endpoints
- Test Users: Comma-separated test user names (optional). If not specified, uses default user. Test users must be configured in Levo SaaS first.
- Target URL: Override the app's default target URL
Failure Criteria (Advanced):
- Fail Severity: Minimum severity to fail the build (none, low, medium, high, critical)
- Fail Scope: Fail on new vulnerabilities, any vulnerabilities, or none
- Fail Threshold: Fail if vulnerability count exceeds this number
Example Configuration:
Application Name: my-api-app
Environment: production
Categories: BOLA,BFLA
HTTP Methods: GET,POST,PUT
Endpoint Pattern: .*api/v1.*
Test Users: Victim1,Victim2
Fail Severity: high
Fail Scope: new
Test User Selection:
- Test users allow you to specify which authenticated users (configured in Levo SaaS) should be used when running tests
- Multiple test users can be specified as comma-separated values (e.g.,
Victim1,Victim2) - The plugin will pass each test user to the CLI using the
--test-userflag - If no test users are specified, the default test user for the app/environment will be used
- Test users must be configured in Levo SaaS before they can be used in Jenkins jobs
If you are using an environment file to define authentication details, you can add those details as a secret using a secret file in the credentials-plugin.
- Click on "Environment Secret Text" dropdown.
- Click on "Add" next to the credentials dropdown.
- Select your datastore.
- Select "Secret File" as credential type.
- Import the file.
- Save and select the new file.
Licensed under Apache 2.0, see LICENSE