Prisma Cloud provides a Jenkins plugin that lets you incorporate vulnerability scanning into your continuous integration pipeline.
In order to interoperate, both Console and the Jenkins plugin must be from the same release.
Build and scan flow
After Jenkins builds a container image, the Prisma Cloud plugin scans it for vulnerabilities and compliance issues.
Prisma Cloud can pass or fail a build, depending on the types of vulnerability and compliance issues discovered, and the policies you set up in Console. By incorporating scanning into the build phase of the development workflow, engineers get immediate feedback about what needs to be fixed. The scan report provides all the information required to fix the vulnerabilities.
The sequence of events is described below:
- An engineer commits a change for a container under development. The commit triggers a build.
- Jenkins builds the container image.
- As part of the build process, Jenkins calls the Prisma Cloud plugin. The plugin collects data about the image, including the packages and binaries in the image, and submits it to Console for analysis.
- Console returns a list of vulnerabilities and compliance issues.
- The Prisma Cloud plugin passes or fails the build depending upon your configuration and policy.For more information about targeting rules created in Console to the Jenkins plugin, see Set policy in the CI plugins.
- The results are displayed in the following places:
- In Jenkins, within the project/job page, or relevant dashboard view.
- In Prisma Cloud Console, on theMonitor > Vulnerabilities > Jenkins Jobspage.
When scanning multiple images in a single build, results do not appear correctly in the Jenkins dashboard view or vulnerability trends table/graph. Only trend data for the last image scanned is shown. Instead, go to Console to see scan results for all images in the build.
Installing the Prisma Cloud Jenkins plugin
Install the Jenkins plugin.
The build console output in Jenkins may show the message - "No CA cert was specified, using insecure connection". This message is generated because twistcli, which the Jenkins plugin wraps, checks the Console’s trust chain by default. When twistcli is run directly, the --tlscacert parameter can be passed to specify the signer, so this message is not shown. To simplify configuration, the Jenkins plugin doesn’t provide this option, hence why the message is shown. The connection between Jenkins and Console is still fully encrypted with TLS.
- You have installed Prisma Cloud Console on a host in your environment.
- Your Jenkins host can reach Prisma Cloud Console over the network.
- Validate that the Jenkins host can communicate with Prisma Cloud Console.
- Open the Jenkins top page.
- Install the plugin dependencies.The Prisma Cloud plugin depends on the Dashboard View and Static Analysis Utilities plugins.
- ClickManage Jenkins>Manage Plugins, and then click on theAvailabletab.
- In theFiltertext box, enterDashboard View.
- Select the checkbox for theDashboard Viewplugin.
- In theFiltertext box, enterStatic Analysis Utilities.
- Select the checkbox for theStatic Analysis Utilitiesplugin.
- ClickInstall without restart.
- Install the Prisma Cloud Jenkins plugin.
- ClickManage Plugins(in the left menu bar), and then click theAdvancedtab.
- Scroll down toUpload Plugin, and clickChoose File.
- Navigate to the folder where you unpacked the Prisma Cloud download and selecttwistlock-jenkins-plugin.hpi.
- Configure the Prisma Cloud plugin.
- Go to the Jenkins top page, and then clickManage Jenkins>Configure System.
- Scroll down to the Prisma Cloud section.
- In theAddressfield, enter the URL for Prisma Cloud Console.
- In theUserandPasswordfields, enter theCI roleuser’s credentials for Prisma Cloud Console.
- ClickTest Connectionto validate that the Jenkins plugin can communicate with Prisma Cloud Console.
Prisma Cloud dashboard portlets
The Prisma Cloud plugin provides a number of portlets that you can add to your dashboard to visualize the vulnerabilities in your images.
Vulnerabilities per image
This portlet summarizes the vulnerabilities in each image:
- Total number of vulnerabilities.
- Number of high severity vulnerabilities (CVSS base score 7.0-10.0)
- Number of medium severity vulnerabilities (CVSS base score 4.0-6.9)
- Number of low severity vulnerabilities (CVSS base score 0.0-3.9)
Vulnerabilities trend graph (new vs fixed)
This portlet displays a bar chart, where each bar represents a build of your image. Each bar has two components:
- Number of new vulnerabilities introduced into this build (red).
- Number of vulnerabilities fixed in this build (blue).
Vulnerabilities trend graph (priority distribution)
This portlet shows how the mix of vulnerabilities changes with each build of your project.
- High severity vulnerabilities - Red
- Medium severity vulnerabilities - Yellow
- Low severity vulnerabilities - Blue
Y-axis: Number of vulnerabilities. X-axis: Build dates.
Vulnerability trend graph (total)
This graph shows how the total number of vulnerabilities in an image changes with each build of your project.
Y-axis: Number of vulnerabilities. X-axis: Build dates.
Setting up a dashboard
The dashboard can be set up with Prisma Cloud visualizations to show you the vulnerabilities in your builds and how they have changed over time.
- Go to the Jenkins top page.
- Click the+button to create a new view.
- Enter a name for your view, selectDashboard, then clickOK.
- UnderJob Filters, select which jobs should be displayed in this view.For example, you might setStatus FiltertoAll selected jobs. And then underJobs, select any job that builds a Docker image.
- Add Prisma Cloud portlets to your dashboard.In the drop-down menus for adding portlets to the top, left, right, and bottom of the page, you have the option to add:
- Vulnerabilities per image.
- Vulnerabilities trend graph (new vs fixed)
- Vulnerabilities trend graph (priority distribution)
- Vulnerability trend graph (total).
- ClickOK.The following screenshot shows an example view named Prisma Cloud. It is applied to two jobs: test and test_pipeline. It displays just a single portlet: Vulnerabilities per image.
When a build completes, you can view the scan results directly in Jenkins. To support integration with other processes and applications in your organization, Prisma Cloud scan reports can be retrieved from several locations.
Full scan reports for the latest build can be retrieved from:
- The project’s workspace in a file namedtwistlock.json.
For example, if you use ThreadFix to maintain a consolidated view of vulnerabilities across all your organization’s applications, you could create a post-build action which triggers ThreadFix’s Jenkins plugin to grab Prisma Cloud’s scan report from the project workspace and upload it to the ThreadFix server.
To download the scan report from Console using the Prisma Cloud API, use the following command:
$ curl \ -H "Accept: application/json, text/plain" \ -H "Content-type: application.json" \ -u username:password \ 'https://<CONSOLE>:8083/api/v1/images/download?Search=<IMAGE_REPO:TAG>' \ > scan_report.csv
Ignore image creation time
A common stumbling point is the "Ignore Image Build Time" option. This option checks the time the image was created against the time your Jenkins build started. If the image was not created after the start of your current build, the scan is bypassed. The plugin, by default, scans any image generated as part of your build process, but ignores images not created or updated as part of the build.
Keep in mind the nature of Docker creation time in regards to images. If nothing changes in the image, the creation time isn’t updated. This could lead to a scenario where an image is built and scanned in one job, but not scanned in subsequent jobs because the creation time wasn’t updated because the image didn’t change.
Post build cleanup
Most pipelines push images to the registry after passing Prisma Cloud’s vulnerability and compliance scan step. Pipelines also have a final cleanup step that removes images from the local Docker cache. If your build fails, and the pipeline is halted, use a
postsection to clean up the Docker cache. The
postsection of a pipeline is guaranteed to run at the end of a pipeline’s execution.
For more information, see the Jenkins documentation.
Set up a build job and configure Prisma Cloud to scan the Docker image generated from the job.
For more information, see:
Notifications of build failures can be enabled using existing Jenkins plugins, for example:
Recommended For You
Recommended videos not found.