1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Continuous integration
    6. Jenkins Pipeline project
    End-of-Life (EoL)

    Jenkins Pipeline project

    The Prisma Cloud Jenkins plugin supports Jenkins Pipeline. Jenkins Pipeline lets you implement and integrate continuous delivery pipelines into Jenkins.
    The publish build step depends on the results file generated by scan build step. The results file must be accessible when running the publish step. Therefore, it’s not possible to run both stages (scan and publish) on different nodes or in parallel.
    For example, a pipeline script that scans a serverless function and publishes the results (assuming the function zip file exists in the current workspace) looks as follows:
    node('master') {
  stage('Scan') {
    prismaCloudScanFunction
  }

  stage('Publish') {
    prismaCloudPublish
  }
}

    Setting up a Pipeline project for container images

    To set up a Jenkins Freestyle project:
    1. Go to the Jenkins top page.
    2. Create a new project.
      1. Click
        New Item
        .
      2. In
        Item
         name, enter a name for your project.
      3. Select
        Pipeline
        .
      4. Click
        OK
        .
    3. Use Jenkin’s Snippet Generator to generate Pipeline Script for the Prisma Cloud steps.
      In the
      Pipeline
       section, click on the
      Pipeline syntax
       link, which takes you to https://<PRISMA_CLOUD_CONSOLE>/job/docs_issue/pipeline-syntax/.
    4. Generate Pipeline Script for the scan step.
      1. In the
        Sample Step
         drop-down, select
        prismaCloudScanImage - Scan Prisma Cloud Images
        .
      2. In the
        Image
         field, select the image to scan by specifying the repository and tag.
        Specify the repository and tag using an exact match or pattern matching expressions. For example, enter test/test-image*.
        If the image you want to scan is created outside of this build, or if you want to scan the image every build, even if the build might not generate an new image, then click
        Advanced
        , and select
        Ignore image creation time
        .
      3. Click
        Generate Pipeline Script
        , copy the snippet, and set it aside.
    5. Generate Pipeline Script to publish the scan results in Jenkins directly.
      This post-build step depends on a file generated by the previous scan build step, which holds the scan results. This step specifically makes the results available for review in the Jenkins build tool. Note that the previous scan step already published the results in Console, and they’re ready to be reviewed there.
      1. In the
        Sample Step
         drop-down, select
        prismaCloudPublish - Publish Prisma Cloud analysis results
        .
      2. In
        Scan Result Files
        , accept the default.
        Scan result files aren’t deleted by the publish step. They stay in the workspace.
      3. Click
        Generate Pipeline Script
        , copy the snippet, and set it aside.
    6. Return to your project configuration page.
    7. Paste both snippets into the script section for your project configuration.
      The following example script builds a simple image, and runs the scan and publish steps.
      pipeline {
  agent any
       stages {
          stage('Build') {
            // Build an image for scanning
            sh 'echo "FROM imiell/bad-dockerfile:latest" > Dockerfile'
            sh 'docker build --no-cache -t test/test-image:0.1 .'
          }

          stage('Scan') {
            // Scan the image
            prismaCloudScanImage ca: '',
            cert: '',
            dockerAddress: 'unix:///var/run/docker.sock',
            image: 'test/test-image*',
            key: '',
            logLevel: 'info',
            podmanPath: '',
            project: '',
            resultsFile: 'prisma-cloud-scan-results.json',
            ignoreImageBuildTime:true
          }
       }

       post { // The post section lets you run the publish step regardless of the scan results
            always {
                prismaCloudPublish resultsFilePattern: 'prisma-cloud-scan-results.json'
            }
       }
}
    8. Click
      Save
      .
    9. Click
      Build Now
      .
    10. After the build completes, examine the results.
      The Status page shows a summary of each build step:
      Click on a step to view the log messages for that step:
      Scan reports are available in the following locations:
      • Prisma Cloud Console: Log into Console, and go to
        Monitor > Vulnerabilities > Images > CI
        .
      • Jenkins: Drill down into the build job, then click
        Image Vulnerabilities
         to see a detailed report.

    Setting up a Pipeline project for serverless functions

    The procedure for setting up Jenkins to scan serverless functions is similar to the procedure for container images, except select
    prismaCloudScanFunction: Scan Prisma Cloud Functions
     in the snippet generator.
    Where:
    • Function Path (functionPath)
       — Path to the ZIP archive of the function to scan.
    • Function Name (functionName)
       — (Optional) String identifier for matching policy rules in Console with the functions being scanned. When creating policy rules in Console, you can target specific rules to specific functions by function name. If this field is left unspecified, the plugin matches the function to the first rule where the function name is a wildcard.
    • AWS CloudFormation template file (cloudFormationTemplateFile)
       — (Optional) Path to CloudFormation template file in either JSON or YAML format. Prisma Cloud scans the function source code for AWS service APIs being used, compares the APIs being used to the function permissions, and reports when functions have permissions for APIs they don’t need.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo