How to Integrate Mayhem Into Your Jenkins Pipeline

Delivering secure, reliable APIs requires finding and fixing issues before shipping to production. That’s why Mayhem for API integrates easily into your CI/CD pipeline to automatically test your API for performance and security and validate it against your API specification. 

With every build, Mayhem will run hundreds—or even thousands—of individual tests and deliver you triaged, actionable results that highlight defects and performance issues.

Mayhem offers several ways to integrate into your CI/CD. In this example, we’ll look at bringing Mayhem into a Jenkins pipeline using both Mayhem’s command line interface (CLI) as well as using Mayhem’s Docker image.

• Configure secrets
• Configure your pipeline

• Run with Docker
• Run with CLI

Configure Secrets

To start, you will need an API token to run Mayhem for API in your Jenkins pipeline:

1. Create a Service Account token for your organization
2. Add the newly created token as a "Secret text" entry in Jenkins Credentials named MAPI_TOKEN

Configure Your Pipeline

This will demonstrate how to run Mayhem for API against an API that is built and run in a Jenkins scripted pipeline. As a general rule, we recommend running Mayhem after any static scanning in your pipeline. These examples will start a local API instance to perform all testing against.  

Run With Docker

In this scripted pipeline, after building your API, we use the Mayhem for API image on Docker Hub to run Mayhem as a containerized job and return results. Results are then collected in JUnit XML format.

// Run the build on a node with the 'docker' label
node("docker") {
checkout scm

// MAPI_TOKEN - The API Token secret text added to Credentials
withCredentials([
string(credentialsId: "${MAPI_TOKEN}", variable: "MAPI_TOKEN")
]) {

//
// 1. BUILD AND TEST YOUR API HERE
//

stage("Run Mayhem for API") {
//
// 2. Start your API
// eg. http://localhost:8080/api
//


//
// 3. Run Mayhem for API
//
sh '''
docker run -t --rm \
--network=host \
-e MAPI_TOKEN=${MAPI_TOKEN} \
-e NO_COLOR=true \
forallsecure/mapi:latest \
run my-api auto  \
--url 'http://localhost:8080/api' \
--junit results.xml
'''

//
// 4. Collect junit results
//
junit testResults: 'results.xml'

}
}
}

 // Run the build on a node with the 'docker' label
node("docker") {
checkout scm

// MAPI_TOKEN - The API Token secret text added to Credentials
withCredentials([
string(credentialsId: "${MAPI_TOKEN}", variable: "MAPI_TOKEN")
]) {

//
// 1. BUILD AND TEST YOUR API HERE
//

stage("Run Mayhem for API") {
//
// 2. Start your API
// eg. http://localhost:8080/api
//

//
// 3. Download the CLI (or use Jenkins Tools)
//
sh '''
curl -Lo mapi https://mayhem4api.forallsecure.com/downloads/cli/latest/linux-musl/mapi \
&& chmod +x mapi
'''

//
// 4. Run Mayhem for API
//
sh '''
mapi run my-api auto <path_to_openapi_spec> \
--url 'http://localhost:8080/api' \
--junit results.xml
'''

//
// 5. Collect junit results
//
junit testResults: 'results.xml'

}
}
}

Jenkins Integration

Running Mayhem for API in your Jenkins pipeline ensures you’re identifying security, reliability, and performance issues before shipping to production. Mayhem’s self-learning algorithms constantly expand coverage and provide an automated triage of results so you're not wading through hundreds of issues trying to prioritize. With Mayhem, every result found is actionable, helping you fix and ship software faster.