Document:Prisma Cloud Administrator’s Guide (Compute)

Jenkins Pipeline project

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Prisma Cloud container images
- Kubernetes
- OpenShift v4
- Amazon ECS
- Alibaba Cloud Container Service for Kubernetes (ACK)
- Azure Kubernetes Service (AKS)
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Google Kubernetes Engine (GKE) Autopilot
- IBM Kubernetes Service (IKS)
- Windows
- Defender types
- Cluster Context
- Install Defender
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- Search CVEs
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Jenkins Pipeline project

The Prisma Cloud Jenkins plugin supports Jenkins Pipeline. Jenkins Pipeline lets you implement and integrate continuous delivery pipelines into Jenkins.

In this workflow, there are two sequential steps for analyzing scan results. The publish build stage depends on the results file generated by scan build stage. The results file must be accessible when running the publish step. Therefore, it’s not possible to run both stages (scan and publish) on different nodes or in parallel.

For example, a pipeline script that scans a serverless function and publishes the results (assuming the function zip file exists in the current workspace) should look like this:

node('master') {
  stage('Scan') {
    prismaCloudScanFunction
  }

  stage('Publish') {
    prismaCloudPublish
  }
}

Setting up a Pipeline project for container images

To set up a Jenkins Pipeline:

Go to the Jenkins top page.

Create a new pipeline.

Click New Item
.

In Item
name, enter a name for your pipeline.

Select Pipeline
.

Click OK
.

Use Jenkin’s Snippet Generator to generate Pipeline Script for the Prisma Cloud steps.

In the Pipeline
section, click on the Pipeline syntax
link, which takes you to https://<PRISMA_CLOUD_CONSOLE>/job/docs_issue/pipeline-syntax/.

Generate Pipeline Script for the scan step.

In the Sample Step
drop-down, select prismaCloudScanImage - Scan Prisma Cloud Images
.

In the Image
field, select the image to scan by specifying the repository and tag.

Specify the repository and tag using an exact match or pattern matching expressions. For example, enter test/test-image*.

If the image you want to scan is created outside of this build, or if you want to scan the image every build, even if the build might not generate an new image, then click Advanced
, and select Ignore image creation time
.

Click Generate Pipeline Script
, copy the snippet, and set it aside.

Generate Pipeline Script to publish the scan results in Jenkins directly.

This post-build step depends on a file generated by the previous scan build step, which holds the scan results. This step specifically makes the results available for review in the Jenkins build tool. Note that the previous scan step already published the results in Console, and they’re ready to be reviewed there.

In the Sample Step
drop-down, select prismaCloudPublish - Publish Prisma Cloud analysis results
.

In Scan Result Files
, review the json filename.

If you have configured scanning for multiple images and configured unique filenames for each scan in the previous step, you must add a wildcard to the json filename for scan results. For example prisma-cloud-scan-results*.json. This ensures that publish command reads all the result files with the same name pattern, and publishes the results so that you can view it. In other cases, accept the default value prisma-cloud-scan-results.json.

Scan result files aren’t deleted by the publish step. They stay in the workspace.

Click Generate Pipeline Script
, copy the snippet, and set it aside.

Return to your project configuration page.

Paste both snippets into the script section for your project configuration. Use the template below.

The following example template builds a simple image, and runs the scan and publish steps.

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                // Build an image for scanning | Input values for your image below
                sh 'echo "FROM <registry/repository:tag> Dockerfile'
                sh 'docker build --no-cache -t <registry/repository:tag> .'
            }
        }
        stage('Scan') {
            steps {
                // Scan the image | Input value from first script copied below, ''
prismaCloudScanImage - Scan Prisma Cloud Images"
                <PASTE_SCRIPT_HERE>
            }
        }
    }
    post {
        always {
            // The post section lets you run the publish step regardless of the scan results | Input value from second script copied below, "
prismaCloudPublish - Publish Prisma Cloud analysis results."
           <PASTE_SCRIPT_HERE>
        }
    }
}

Click Save
.

Click Build Now
.

After the build completes, examine the results.

The Status page shows a summary of each build step:

Click on a step to view the log messages for that step:

Scan step returned result:

The criteria for passing or failing a scan is determined by the CI vulnerability and compliance policies set in Console. The default CI vulnerability policy alerts on all CVEs detected. The default CI compliance policy alerts on all critical and high compliance issues.

There are two reasons why prismaCloudScanImage scan step might return a failed result.

The scan failed because the scanner found issues that violate your CI policy.

Prisma Cloud Compute Jenkins plugin failed to run due to an error.

In order to understand the reason for the failure, view the step’s log messages, or move to the Jenkins Console Output page. Another option that can help you differentiate the reason for the failure could be to create preliminary steps to the scan step in order to check the Console’s availability, network connectivity, etc.

Anyhow, although the return value is ambiguous — you cannot determine the exact reason for the failure by just examining the return value — this setup supports automation. From an automation process perspective, you expect that the entire flow will work. If you scan an image, with or without a threshold, either it works or it does not work. If it fails, for whatever reason, you want to fail everything because there is a problem.

Scan reports are available in the following locations:

Prisma Cloud Console: Log into Console, and go to Monitor > Vulnerabilities > Images > CI
.

Jenkins: Drill down into the build job, then click Image Vulnerabilities
to see a detailed report.

The Projects
column in the CI scan results table displays the name of the Jenkins pipeline you created.

Below is the sample code if you’d like to test an image for your Jenkins Pipeline for troubleshooting purposes:

The following example script builds a simple image, and runs the scan and publish steps.

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                // Build an image for scanning
                sh 'echo "FROM imiell/bad-dockerfile:latest" > Dockerfile'
                sh 'docker build --no-cache -t test/test-image:0.1 .'
            }
        }
        stage('Scan') {
            steps {
                // Scan the image
                prismaCloudScanImage ca: '',
                cert: '',
                dockerAddress: 'unix:///var/run/docker.sock',
                image: 'test/test-image*',
                key: '',
                logLevel: 'info',
                podmanPath: '',
                // The project field below is only applicable if you are using Prisma Cloud Compute Edition and have set up projects (multiple consoles) on Prisma Cloud.
                project: '',
                resultsFile: 'prisma-cloud-scan-results.json',
                ignoreImageBuildTime:true
            }
        }
    }
    post {
        always {
            // The post section lets you run the publish step regardless of the scan results
            prismaCloudPublish resultsFilePattern: 'prisma-cloud-scan-results.json'
        }
    }
}

Document:Prisma Cloud Administrator’s Guide (Compute)

Jenkins Pipeline project

Table of Contents

Jenkins Pipeline project

Setting up a Pipeline project for container images

Setting up a Pipeline project for serverless functions