Jenkins plugin

Prisma Cloud provides a Jenkins plugin that lets you incorporate vulnerability scanning into your continuous integration pipeline.
The Jenkins plugin can downloaded directly from Console (
Manage > System > Downloads
). It’s also delivered with the release tarball that you download from Releases.
In order to interoperate, both Console and the Jenkins plugin must be from the same release.
The Jenkins plugin is built for Jenkins on Linux. To scan images with Jenkins on other operating systems, use a platform-specific twistcli binary.

Build and scan flow

After Jenkins builds a container image, the Prisma Cloud plugin scans it for vulnerabilities and compliance issues.
Prisma Cloud can pass or fail a build, depending on the types of vulnerability and compliance issues discovered, and the policies you set up in Console. By incorporating scanning into the build phase of the development workflow, engineers get immediate feedback about what needs to be fixed. The scan report provides all the information required to fix the vulnerabilities.
The sequence of events is described below:
  1. An engineer commits a change for a container under development. The commit triggers a build.
  2. Jenkins builds the container image.
  3. As part of the build process, Jenkins calls the Prisma Cloud plugin. The plugin collects data about the image, including the packages and binaries in the image, and submits it to Console for analysis.
  4. Console returns a list of vulnerabilities and compliance issues.
  5. The Prisma Cloud plugin passes or fails the build depending upon your configuration and policy.
    For more information about configuring a scan, see: Setting up a Freestyle project, Setting up a Maven project, or Setting up a Pipeline project.
    For more information about targeting rules created in Console to the Jenkins plugin, see Set policy in the CI plugins.
  6. The results are displayed in the following places:
    • In Jenkins, within the project/job page, or relevant dashboard view.
    • In Prisma Cloud Console, on the
      Monitor > Vulnerabilities > Jenkins Jobs
      page.
When scanning multiple images in a single build, results do not appear correctly in the Jenkins dashboard view or vulnerability trends table/graph. Only trend data for the last image scanned is shown. Instead, go to Console to see scan results for all images in the build.

Installing the Prisma Cloud Jenkins plugin

Install the Jenkins plugin.
The build console output in Jenkins may show the message - "No CA cert was specified, using insecure connection". This message is generated because twistcli, which the Jenkins plugin wraps, checks the Console’s trust chain by default. When twistcli is run directly, the --tlscacert parameter can be passed to specify the signer, so this message is not shown. To simplify configuration, the Jenkins plugin doesn’t provide this option, hence why the message is shown. The connection between Jenkins and Console is still fully encrypted with TLS.
Prerequisites:
  • Your version of Jenkins meets Prisma Cloud’s minimum requirements.
  • You have installed Prisma Cloud Console on a host in your environment.
  • Your Jenkins host can reach Prisma Cloud Console over the network.
  • We recommend adding a Prisma Cloud user with the
    CI User
    role to minimize privileges on Console. For more information, see User roles.
  1. Validate that the Jenkins host can communicate with Prisma Cloud Console.
  2. Open the Jenkins top page.
  3. Install the plugin dependencies.
    The Prisma Cloud plugin depends on the Dashboard View and Static Analysis Utilities plugins.
    1. Click
      Manage Jenkins
      >
      Manage Plugins
      , and then click on the
      Available
      tab.
    2. In the
      Filter
      text box, enter
      Dashboard View
      .
    3. Select the checkbox for the
      Dashboard View
      plugin.
    4. In the
      Filter
      text box, enter
      Static Analysis Utilities
      .
    5. Select the checkbox for the
      Static Analysis Utilities
      plugin.
    6. Click
      Install without restart
      .
  4. Install the Prisma Cloud Jenkins plugin.
    The Jenkins plugin can downloaded directly from Console (
    Manage > System > Downloads
    ). It’s also delivered with the release tarball that you download from Releases.
    1. Click
      Manage Plugins
      (in the left menu bar), and then click the
      Advanced
      tab.
    2. Scroll down to
      Upload Plugin
      , and click
      Choose File
      .
    3. Navigate to the folder where you unpacked the Prisma Cloud download and select
      twistlock-jenkins-plugin.hpi
      .
    4. Click
      Upload
      .
  5. Configure the Prisma Cloud plugin.
    1. Go to the Jenkins top page, and then click
      Manage Jenkins
      >
      Configure System
      .
    2. Scroll down to the Prisma Cloud section.
    3. In the
      Address
      field, enter the URL for Prisma Cloud Console.
    4. In the
      User
      and
      Password
      fields, enter the
      CI role
      user’s credentials for Prisma Cloud Console.
    5. Click
      Test Connection
      to validate that the Jenkins plugin can communicate with Prisma Cloud Console.
    6. Click
      Save
      .

Prisma Cloud dashboard portlets

The Prisma Cloud plugin provides a number of portlets that you can add to your dashboard to visualize the vulnerabilities in your images.

Vulnerabilities per image

This portlet summarizes the vulnerabilities in each image:
  • Total number of vulnerabilities.
  • Number of high severity vulnerabilities (CVSS base score 7.0-10.0)
  • Number of medium severity vulnerabilities (CVSS base score 4.0-6.9)
  • Number of low severity vulnerabilities (CVSS base score 0.0-3.9)

Vulnerabilities trend graph (new vs fixed)

This portlet displays a bar chart, where each bar represents a build of your image. Each bar has two components:
  • Number of new vulnerabilities introduced into this build (red).
  • Number of vulnerabilities fixed in this build (blue).

Vulnerabilities trend graph (priority distribution)

This portlet shows how the mix of vulnerabilities changes with each build of your project.
  • High severity vulnerabilities - Red
  • Medium severity vulnerabilities - Yellow
  • Low severity vulnerabilities - Blue
Y-axis: Number of vulnerabilities. X-axis: Build dates.

Vulnerability trend graph (total)

This graph shows how the total number of vulnerabilities in an image changes with each build of your project.
Y-axis: Number of vulnerabilities. X-axis: Build dates.

Setting up a dashboard

The dashboard can be set up with Prisma Cloud visualizations to show you the vulnerabilities in your builds and how they have changed over time.
  1. Go to the Jenkins top page.
  2. Click the
    +
    button to create a new view.
  3. Enter a name for your view, select
    Dashboard
    , then click
    OK
    .
  4. Under
    Job Filters
    , select which jobs should be displayed in this view.
    For example, you might set
    Status Filter
    to
    All selected jobs
    . And then under
    Jobs
    , select any job that builds a Docker image.
  5. Add Prisma Cloud portlets to your dashboard.
    In the drop-down menus for adding portlets to the top, left, right, and bottom of the page, you have the option to add:
    • Vulnerabilities per image.
    • Vulnerabilities trend graph (new vs fixed)
    • Vulnerabilities trend graph (priority distribution)
    • Vulnerability trend graph (total).
  6. Click
    OK
    .
    The following screenshot shows an example view named Prisma Cloud. It is applied to two jobs: test and test_pipeline. It displays just a single portlet: Vulnerabilities per image.

Scan artifacts

When a build completes, you can view the scan results directly in Jenkins. To support integration with other processes and applications in your organization, Prisma Cloud scan reports can be retrieved from several locations.
Full scan reports for the latest build can be retrieved from:
  • The project’s workspace in a file named
    twistlock.json
    .
  • The Prisma Cloud API. For more information, see the endpoint for downloading an image’s health (
    GET /api/v1/images/download
    ).
For example, if you use ThreadFix to maintain a consolidated view of vulnerabilities across all your organization’s applications, you could create a post-build action which triggers ThreadFix’s Jenkins plugin to grab Prisma Cloud’s scan report from the project workspace and upload it to the ThreadFix server.
To download the scan report from Console using the Prisma Cloud API, use the following command:
$ curl \ -H "Accept: application/json, text/plain" \ -H "Content-type: application.json" \ -u username:password \ 'https://<CONSOLE>:8083/api/v1/images/download?Search=<IMAGE_REPO:TAG>' \ > scan_report.csv

Ignore image creation time

A common stumbling point is the "Ignore Image Build Time" option. This option checks the time the image was created against the time your Jenkins build started. If the image was not created after the start of your current build, the scan is bypassed. The plugin, by default, scans any image generated as part of your build process, but ignores images not created or updated as part of the build.
Keep in mind the nature of Docker creation time in regards to images. If nothing changes in the image, the creation time isn’t updated. This could lead to a scenario where an image is built and scanned in one job, but not scanned in subsequent jobs because the creation time wasn’t updated because the image didn’t change.

Post build cleanup

Most pipelines push images to the registry after passing Prisma Cloud’s vulnerability and compliance scan step. Pipelines also have a final cleanup step that removes images from the local Docker cache. If your build fails, and the pipeline is halted, use a
post
section to clean up the Docker cache. The
post
section of a pipeline is guaranteed to run at the end of a pipeline’s execution.
For more information, see the Jenkins documentation.

What’s next?

Set up a build job and configure Prisma Cloud to scan the Docker image generated from the job.
For more information, see:
Notifications of build failures can be enabled using existing Jenkins plugins, for example:

Recommended For You