Use the Prisma Cloud IaC Scan Plugin for Jenkins

Verify the prerequisites

You must have administrative privileges in Jenkins to install the Prisma Cloud IaC scan plugin.

Launch your browser to point to the location of your Jenkins server. For example, the default URL is http://localhost:8080. Replace

8080

with a custom port you used.

Enter your

username

and

password

.

Click

Sign in

.

Access Key
Enables programmatic access to Prisma Cloud. To create an access key select
Settings
Access Keys
Add New.
Secret Key
You should have saved this secret key when you generated it. You cannot view it on the Prisma Cloud web interface.



Install the Prisma Cloud IaC Scan Plugin

Use the plugin manager in Jenkins to install the Prisma Cloud IaC scan plugin for scanning your templates and images across all Source Code Management repositories connected to Jenkins.

Log in to Jenkins.

Select

Manage Jenkins

Manage Plugins

Available

.

Enter

prisma cloud

to find Prisma Cloud iac scan on the Jenkins marketplace.

Install the plugin.

Select

Restart Jenkins

when installation is complete and no jobs are running.



Select

Manage Jenkins

Manage Plugins

Installed

to verify that the Jenkins plugin is available for use.

Connect Jenkins to Your Prisma Cloud Server

The API URL for Prisma Cloud varies depending on the region and cluster on which your tenant is deployed.

If the tenant provisioned for you is, for example, https://app2.prismacloud.io or https://app.eu.prismacloud.io, replace

app

in the URL with

api

. Refer to the Prisma Cloud REST API Reference, for more details.

In Jenkins select
Manage Jenkins
Configure System.
Enter the credentials for
Auth URL
,
Access Key
, and
Secret Key
.

Click
Test Connection
to authenticate into Prisma Cloud and after successful connection the message
Successfully authenticated with server
will display.

Add a Build Step in Jenkins

After you connect Prisma Cloud IaC scan to Prisma Cloud add a build step.



Select
New Item
to add a name for the item that you want to build.
Save your item by clicking
OK
.
Select
Configure
and navigate to
Build
. Specify the following fields except Template Version which is optional:
Asset Name
—The registered asset name that will appear as the resource name in the Prisma Cloud Devops inventory. The character limit for asset name should not exceed 255 characters. For example,
prisma-cloud-build
is a valid asset name.
Tags
—The key-value pairs separated by commas which allows the build to be searched in the DevOps inventory UI of Prisma Cloud. Examples of valid tags;
env:dev
,
tag:value
,
team:team-one
.
Template Type
—A template is a configuration management tool that is used to provision resources in the cloud. The templates supported are Terraform, AWS CloudFormation, and Kubernetes Templates. Enter the templates abbreviations as values, for example
TF
,
CFT
, and
K8S
.
Template Version (Optional)
—This field is only applicable if you entered
TF
in the Template Type field. Examples of valid values are 0.11, 0.12, or 0.13. The value you enter will be a hint as the system will attempt to determine the correct version number, otherwise the system will use the value you entered.
Set up the failure criteria for the Prisma Cloud IaC scan
Define the number of issues by severity in
Prisma Cloud IaC scan
plugin. Set the
High
: x,
Medium
: y,
Low
: z, Operator: O, where, x,y, and z are the number of issues of each severity, and the operator is
OR
,
AND
.
For example:
To fail the pipeline for any security issue detected—High : 0, Medium : 0, Low : 0, Operator: OR
To never fail the pipeline—High : 1000, Medium : 1000, Low : 1000, Operator: AND

Run an IaC Scan on Your Build

Select
Build Now
to generate your build.
Select the build and then select
Prisma Cloud IaC Scan Report
to view the report.