Jenkins Pipeline project
Table of Contents
Jenkins Pipeline project
The Prisma Cloud Jenkins plugin supports Jenkins Pipeline.
Jenkins Pipeline lets you implement and integrate continuous delivery pipelines into Jenkins.
In this workflow, there are two sequential steps for analyzing scan results. The publish build stage depends on the results file generated by scan build stage.
The results file must be accessible when running the publish step.
Therefore, it’s not possible to run both stages (scan and publish) on different nodes or in parallel.
For example, a pipeline script that scans a serverless function and publishes the results (assuming the function zip file exists in the current workspace) should look like this:
node('master') { stage('Scan') { prismaCloudScanFunction } stage('Publish') { prismaCloudPublish } }
Setting up a Pipeline project for container images
To set up a Jenkins Pipeline:
- Go to the Jenkins top page.
- Create a new pipeline.
- ClickNew Item.
- InItemname, enter a name for your pipeline.
- SelectPipeline.
- ClickOK.
- Use Jenkin’s Snippet Generator to generate Pipeline Script for the Prisma Cloud steps.In thePipelinesection, click on thePipeline syntaxlink, which takes you to https://<PRISMA_CLOUD_CONSOLE>/job/docs_issue/pipeline-syntax/.
- Generate Pipeline Script for the scan step.
- In theSample Stepdrop-down, selectprismaCloudScanImage - Scan Prisma Cloud Images.
- In theImagefield, select the image to scan by specifying the repository and tag.Specify the repository and tag using an exact match or pattern matching expressions. For example, enter test/test-image*.If the image you want to scan is created outside of this build, or if you want to scan the image every build, even if the build might not generate an new image, then clickAdvanced, and selectIgnore image creation time.
- ClickGenerate Pipeline Script, copy the snippet, and set it aside.
- Generate Pipeline Script to publish the scan results in Jenkins directly.This post-build step depends on a file generated by the previous scan build step, which holds the scan results. This step specifically makes the results available for review in the Jenkins build tool. Note that the previous scan step already published the results in Console, and they’re ready to be reviewed there.
- In theSample Stepdrop-down, selectprismaCloudPublish - Publish Prisma Cloud analysis results.
- InScan Result Files, review the json filename.If you have configured scanning for multiple images and configured unique filenames for each scan in the previous step, you must add a wildcard to the json filename for scan results. For example prisma-cloud-scan-results*.json. This ensures that publish command reads all the result files with the same name pattern, and publishes the results so that you can view it. In other cases, accept the default value prisma-cloud-scan-results.json.Scan result files aren’t deleted by the publish step. They stay in the workspace.
- ClickGenerate Pipeline Script, copy the snippet, and set it aside.
- Return to your project configuration page.
- Paste both snippets into the script section for your project configuration. Use the template below.The following example template builds a simple image, and runs the scan and publish steps.pipeline { agent any stages { stage('Build') { steps { // Build an image for scanning | Input values for your image below sh 'echo "FROM <registry/repository:tag> Dockerfile' sh 'docker build --no-cache -t <registry/repository:tag> .' } } stage('Scan') { steps { // Scan the image | Input value from first script copied below, '' prismaCloudScanImage - Scan Prisma Cloud Images" <PASTE_SCRIPT_HERE> } } } post { always { // The post section lets you run the publish step regardless of the scan results | Input value from second script copied below, " prismaCloudPublish - Publish Prisma Cloud analysis results." <PASTE_SCRIPT_HERE> } } }ClickSave.ClickBuild Now.After the build completes, examine the results.
- The Status page shows a summary of each build step:
- Click on a step to view the log messages for that step:
- Scan step returned result:The criteria for passing or failing a scan is determined by the CI vulnerability and compliance policies set in Console. The default CI vulnerability policy alerts on all CVEs detected. The default CI compliance policy alerts on all critical and high compliance issues.There are two reasons why prismaCloudScanImage scan step might return a failed result.
- The scan failed because the scanner found issues that violate your CI policy.
- Prisma Cloud Compute Jenkins plugin failed to run due to an error.
In order to understand the reason for the failure, view the step’s log messages, or move to the Jenkins Console Output page. Another option that can help you differentiate the reason for the failure could be to create preliminary steps to the scan step in order to check the Console’s availability, network connectivity, etc.Anyhow, although the return value is ambiguous — you cannot determine the exact reason for the failure by just examining the return value — this setup supports automation. From an automation process perspective, you expect that the entire flow will work. If you scan an image, with or without a threshold, either it works or it does not work. If it fails, for whatever reason, you want to fail everything because there is a problem. - Scan reports are available in the following locations:
- Prisma Cloud Console: Log into Console, and go toMonitor > Vulnerabilities > Images > CI.
- Jenkins: Drill down into the build job, then clickImage Vulnerabilitiesto see a detailed report.
TheProjectscolumn in the CI scan results table displays the name of the Jenkins pipeline you created.Below is the sample code if you’d like to test an image for your Jenkins Pipeline for troubleshooting purposes:The following example script builds a simple image, and runs the scan and publish steps.pipeline { agent any stages { stage('Build') { steps { // Build an image for scanning sh 'echo "FROM imiell/bad-dockerfile:latest" > Dockerfile' sh 'docker build --no-cache -t test/test-image:0.1 .' } } stage('Scan') { steps { // Scan the image prismaCloudScanImage ca: '', cert: '', dockerAddress: 'unix:///var/run/docker.sock', image: 'test/test-image*', key: '', logLevel: 'info', podmanPath: '', // The project field below is only applicable if you are using Prisma Cloud Compute Edition and have set up projects (multiple consoles) on Prisma Cloud. project: '', resultsFile: 'prisma-cloud-scan-results.json', ignoreImageBuildTime:true } } } post { always { // The post section lets you run the publish step regardless of the scan results prismaCloudPublish resultsFilePattern: 'prisma-cloud-scan-results.json' } } }
- Function Path (functionPath)— Path to the ZIP archive of the function to scan.
- Function Name (functionName)— (Optional) String identifier for matching policy rules in Console with the functions being scanned. When creating policy rules in Console, you can target specific rules to specific functions by function name. If this field is left unspecified, the plugin will use the function zip file name to match against policy.
- AWS CloudFormation template file (cloudFormationTemplateFile)— (Optional) Path to CloudFormation template file in either JSON or YAML format. Prisma Cloud scans the function source code for AWS service APIs being used, compares the APIs being used to the function permissions, and reports when functions have permissions for APIs they don’t need.
Setting up a Pipeline project for serverless functions
The procedure for setting up Jenkins to scan serverless functions is similar to the procedure for container images, except select
prismaCloudScanFunction: Scan Prisma Cloud Functions
in the snippet generator.
Where:
