End-of-Life (EoL)
Jenkins plugin
The Jenkins plugin for Prisma Cloud enables you to scan container images and serverless functions for security vulnerabilities and compliance issues within your continuous integration pipeline.
You can download the Jenkins plugin directly from Console (
Manage > System > Utilities
).
It’s also delivered with the release tarball that you download from Releases.In order to interoperate, both Console and the Jenkins plugin must be from the same release.
The Jenkins plugin is built for Jenkins on Linux.
To scan images with Jenkins on other operating systems, use a platform-specific twistcli binary.
Build and scan flow
After Jenkins builds a container image or serverless function package, the Prisma Cloud Jenkins plugin scans it for vulnerabilities and compliance issues.
Prisma Cloud can pass or fail builds, depending on the types of issues discovered, and the policies you have defined in Console.
By incorporating scanning into the build phase of the development workflow, developers get immediate feedback about what needs to be fixed.
The scan report provides all the information required to fix the vulnerabilities that were identified in the scan.
The sequence of events is described below:
- An developer commits a change, which triggers a build.
- Jenkins builds the container image.
- Jenkins calls the Prisma Cloud plugin for scanning. The plugin collects data about the image, including the packages and binaries in the image, and submits it to Console for analysis.
- Console returns a list of vulnerabilities and compliance issues.
- The Prisma Cloud plugin passes or fails the build depending upon your policy.For more information about configuring a scan, see: Setting up a Freestyle project, Setting up a Maven project, or Setting up a Pipeline project.For more information about targeting rules created in Console to the Jenkins plugin, see Set policy in the CI plugins.
- Scan results can be reviewed in the following locations:
- Directly in the Jenkins tool, including the project/job page and dashboard view.
- In Prisma Cloud Console, in theMonitor > Vulnerabilities > {Images | Functions} > CIpages.
When scanning multiple images in a single build, results do not appear correctly in the Jenkins dashboard view or vulnerability trends table/graph.
Only trend data for the last image scanned is shown.
Instead, go to Console to see scan results for all images in the build.
Installing the Prisma Cloud Jenkins plugin
Install the Jenkins plugin.
The build console output in Jenkins may show the message - "No CA cert was specified, using insecure connection".
This message is generated because twistcli, which the Jenkins plugin wraps, checks the Console’s trust chain by default.
When twistcli is run directly, the --tlscacert parameter can be passed to specify the signer, so this message is not shown.
To simplify configuration, the Jenkins plugin doesn’t provide this option, hence why the message is shown.
The connection between Jenkins and Console is still fully encrypted with TLS.
The Prisma Cloud Jenkins plugin uses the proxy settings specified in your Jenkins HTTP proxy configuration, which can be found in
Manage Jenkins > Manage Plugins > Advanced
.Prerequisites:
- Your version of Jenkins meets Prisma Cloud’s minimum requirements.
- You have installed Prisma Cloud Console on a host in your environment.
- Your Jenkins host can reach Prisma Cloud Console over the network.
- We recommend adding a Prisma Cloud user with the CI User role to minimize privileges on Console. For more information, see user roles.
- Validate that the Jenkins host can communicate with Prisma Cloud Console.
- Open the Jenkins top page.
- Install the Prisma Cloud Jenkins plugin.The Jenkins plugin can downloaded directly from Console (Manage > System > Utilities). It’s also delivered with the release tarball that you download from Releases.
- ClickManage Plugins(in the left menu bar), and then click theAdvancedtab.
- Scroll down toUpload Plugin, and clickChoose File.
- Navigate to the folder where you unpacked the Prisma Cloud download and select prisma-cloud-jenkins-plugin.hpi.
- ClickUpload.
- Configure the Prisma Cloud plugin.
- Go to the Jenkins top page, and then clickManage Jenkins>Configure System.
- Scroll down to the Prisma Cloud section.Configuring a proxy:
- In theAddressfield, enter the URL for Prisma Cloud Console.
- In theUserandPasswordfields, enter theCI roleuser’s credentials for Prisma Cloud Console.The username is the access key ID and the password is the access key secret of the user with the CI role (Build and Deploy Security permission group with the option to create an access key on Prisma Cloud).
- InChoose Proxy Type, select the proxy option that is to be used for the plugin to communicate with Console.Choose either the default global Jenkins proxy, configure a separate one, or choose to skip any Proxy communication with the 'No Proxy' option. If you choose to configure a separate proxy, fill in the proxy’s address URL, port, username, password, and CA certificate (if any).
- ClickTest Connectionto validate that the Jenkins plugin can communicate with Prisma Cloud Console.
- ClickSave.
Scan artifacts
When a build completes, you can view the scan results directly in Jenkins.
To support integration with other processes and applications in your organization, Prisma Cloud scan reports can be retrieved from several locations.
Full scan reports for the latest build can be retrieved from:
- The scan results file in the project’s workspace (by the name configured in the scan steps).
- The Prisma Cloud API. For more information, see the /api/v1/scans endpoint for downloading Jenkins scan results.
For example, if you use [ThreadFix](https://threadfix.it/) to maintain a consolidated view of vulnerabilities across all your organization’s applications, you could create a post-build action which triggers ThreadFix’s Jenkins plugin to grab Prisma Cloud Compute’s scan report from the project workspace and upload it to the ThreadFix server.
Contact your ThreadFix support team for details on how to ingest this output.
To download the scan report from Console using the Prisma Cloud API, use the following command:
$ curl -k \ -u <COMPUTE_CONSOLE_USER> \ https://<COMPUTE_CONSOLE>/api/v1/scans/download?search=<IMAGE_NAME> \ > scan_report.csv
Ignore image creation time
A common stumbling point is the "Ignore Image Build Time" option.
This option checks the time the image was created against the time your Jenkins build started.
If the image was not created after the start of your current build, the scan is bypassed.
The plugin, by default, scans any image generated as part of your build process, but ignores images not created or updated as part of the build.
Keep in mind the nature of Docker creation time in regards to images.
If nothing changes in the image, the creation time isn’t updated.
This could lead to a scenario where an image is built and scanned in one job, but not scanned in subsequent jobs because the creation time wasn’t updated because the image didn’t change.
Post build cleanup
Most pipelines push images to the registry after passing Prisma Cloud’s vulnerability and compliance scan step.
Pipelines also have a final cleanup step that removes images from the local Docker cache.
If your build fails, and the pipeline is halted, use a
post
section to clean up the Docker cache.
The post
section of a pipeline is guaranteed to run at the end of a pipeline’s execution.For more information, see the Jenkins documentation.