Use the Prisma Cloud IaC Scan Plugin for Jenkins

Learn how to use the Prisma Cloud™ IaC Scan Plugin for Jenkins to incorporate vulnerability and compliance scanning into your continuous integration pipeline.
Use the Prisma™ Cloud IaC Scan Plugin to perform Infrastructure as Code (IaC) scanning during Jenkins builds. To use Prisma Cloud IaC scan functionality, you need to have a connection to a Prisma Cloud api server and the login credentials. The Prisma Cloud IaC scan plugin scans the templates for misconfigurations, and if an issue is detected then you will be able to see the issues generated as a report within Jenkins.
  1. Verify the prerequisites
    You must have administrative privileges in Jenkins to install the Prisma Cloud IaC scan plugin.
    1. Launch your browser to point to the location of your Jenkins server. For example, the default URL is http://localhost:8080. Replace
      8080
      with a custom port you used.
    2. Enter your
      username
      and
      password
      .
    3. Click
      Sign in
      .
      • Access Key
        Enables programmatic access to Prisma Cloud. To create an access key select
        Settings
        Access Keys
        Add New.
      • Secret Key
        You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.
      prisma-cloud-iac-scan-plugin-secret-key.png
  2. Install the Prisma Cloud IaC Scan Plugin
    Use the plugin manager in Jenkins to install the Prisma Cloud IaC scan plugin for scanning your templates and images across all Source Code Management repositories connected to Jenkins.
    1. Log in to Jenkins.
    2. Select
      Manage Jenkins
      Manage Plugins
      Available
      .
    3. Enter
      prisma cloud
      to find Prisma Cloud iac scan on the Jenkins marketplace.
    4. Install the plugin.
    5. Select
      Restart Jenkins
      when installation is complete and no jobs are running.
      prisma-cloud-iac-scan-plugin-jenkins-sucessfully-installed.png
    6. Select
      Manage Jenkins
      Manage Plugins
      Installed
      to verify that the Jenkins plugin is available for use.
  3. Connect Jenkins to Your Prisma Cloud Server
    The API URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed.
    If the tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io, replace
    app
    in the URL with
    api
    . Refer to the Prisma Cloud REST API Reference, for more details.
    1. In Jenkins select
      Manage Jenkins
      Configure System.
      Enter the credentials for
      Auth URL
      ,
      Access Key
      , and
      Secret Key
      .
      prisma-cloud-iac-scan-plugin-auth-details.png
    2. Click
      Test Connection
      to authenticate into Prisma Cloud and after successful connection the message
      Successfully authenticated with server
      will display.
  4. Add a Build Step in Jenkins
    After you connect Prisma Cloud IaC scan to Prisma Cloud add a build step.
    prisma-cloud-iac-scan-plugin-build-step.png
    1. Select
      New Item
      to add a name for the item that you want to build.
    2. Save your item by clicking
      OK
      .
    3. Select
      Configure
      and navigate to
      Build
      . Specify the following fields except Template Version which is optional:
      • Asset Name
        —The registered asset name that will appear as the resource name in the Prisma Cloud Devops inventory. The character limit for asset name should not exceed 255 characters. For example,
        prisma-cloud-build
        is a valid asset name.
      • Tags
        —The key-value pairs separated by commas which allows the build to be searched in the DevOps inventory UI of Prisma Cloud. Examples of valid tags;
        env:dev
        ,
        tag:value
        ,
        team:team-one
        .
      • Template Type
        —A template is a configuration management tool that is used to provision resources in the cloud. The templates supported are Terraform, AWS CloudFormation, and Kubernetes Templates. Enter the templates abbreviations as values, for example
        TF
        ,
        CFT
        , and
        K8S
        .
      • Template Version (Optional)
        —This field is only applicable if you entered
        TF
        in the Template Type field. Examples of valid values are 0.11, 0.12, or 0.13. The value you enter will be a hint as the system will attempt to determine the correct version number, otherwise the system will use the value you entered.
      • Set up the failure criteria for the Prisma Cloud IaC scan
        Define the number of issues by severity in
        Prisma Cloud IaC scan
        plugin. Set the
        High
        : x,
        Medium
        : y,
        Low
        : z, Operator: O, where, x,y, and z are the number of issues of each severity, and the operator is
        OR
        ,
        AND
        .
        For example:
        • To fail the pipeline for any security issue detected—High : 0, Medium : 0, Low : 0, Operator: OR
        • To never fail the pipeline—High : 1000, Medium : 1000, Low : 1000, Operator: AND
  5. Run an IaC Scan on Your Build
    1. Select
      Build Now
      to generate your build.
    2. Select the build and then select
      Prisma Cloud IaC Scan Report
      to view the report.
    prisma-cloud-iac-scan-plugin-build-results-blue-screen-shot.png

Recommended For You