The Open Web Application Security Project publishes a tool called ZAP: the Zed Attack Proxy. This provides various tools including a baseline command that can be run against an application endpoint looking for a base set of problems.
In Jenkins X this can be run against a Preview Application (that each application gets) by creating a post-preview hook:
jx create addon owasp-zap
Any pull requests will then have their preview application run through the ZAP baseline scan, and should any failures be detected it will fail the CI pipeline automatically. The pipelines do not be changed to run this test, and they will apply to all pull requests for the team.
To remove the ZAP test:
jx delete post preview job --name owasp-zap
The post preview hook can also be configured with a command like: