1. Overview

The Prisma Cloud Jenkins plugin supports Jenkins Pipeline. Jenkins Pipeline lets you implement and integrate continuous delivery pipelines into Jenkins.

The publish build step depends on the results file generated by scan build step. The results file must be accessible when running the publish step. Therefore, it’s not possible to run both stages (scan and publish) on different nodes or in parallel.

For example, a pipeline script that scans a serverless function and publishes the results (assuming the function zip file exists in the current workspace) looks as follows:

node('master') {
  stage('Scan') {
    prismaCloudScanFunction
  }

  stage('Publish') {
    prismaCloudPublish
  }
}

2. Setting up a Pipeline project for container images

To set up a Jenkins Freestyle project:

  1. Go to the Jenkins top page.

  2. Create a new project.

    1. Click New Item.

    2. In Item name, enter a name for your project.

    3. Select Pipeline.

    4. Click OK.

      jenkins create pipeline project
  3. Use Jenkin’s Snippet Generator to generate Pipeline Script for the Prisma Cloud steps.

    In the Pipeline section, click on the Pipeline syntax link, which takes you to https://<PRISMA_CLOUD_CONSOLE>/job/docs_issue/pipeline-syntax/.

    jenkins pipeline project pipeline syntax
  4. Generate Pipeline Script for the scan step.

    1. In the Sample Step drop-down, select prismaCloudScanImage - Scan Prisma Cloud Images.

    2. In the Image field, select the image to scan by specifying the repository and tag.

      Specify the repository and tag using an exact match or pattern matching expressions. For example, enter test/test-image*.

      If the image you want to scan is created outside of this build, or if you want to scan the image every build, even if the build might not generate an new image, then click Advanced, and select Ignore image creation time.
    3. Click Generate Pipeline Script, copy the snippet, and set it aside.

  5. Generate Pipeline Script to publish the scan results in Jenkins directly.

    This post-build step depends on a file generated by the previous scan build step, which holds the scan results. This step specifically makes the results available for review in the Jenkins build tool. Note that the previous scan step already published the results in Console, and they’re ready to be reviewed there.

    1. In the Sample Step drop-down, select prismaCloudPublish - Publish Prisma Cloud analysis results.

    2. In Scan Result Files, accept the default.

      Scan result files aren’t deleted by the publish step. They stay in the workspace.

    3. Click Generate Pipeline Script, copy the snippet, and set it aside.

  6. Return to your project configuration page.

  7. Paste both snippets into the script section for your project configuration.

    The following example script builds a simple image, and runs the scan and publish steps.

    pipeline {
        agent any
        stages {
            stage('Build') {
                steps {
                    // Build an image for scanning
                    sh 'echo "FROM imiell/bad-dockerfile:latest" > Dockerfile'
                    sh 'docker build --no-cache -t test/test-image:0.1 .'
                }
            }
            stage('Scan') {
                steps {
                    // Scan the image
                    prismaCloudScanImage ca: '',
                    cert: '',
                    dockerAddress: 'unix:///var/run/docker.sock',
                    image: 'test/test-image*',
                    key: '',
                    logLevel: 'info',
                    podmanPath: '',
                    project: '',
                    resultsFile: 'prisma-cloud-scan-results.json',
                    ignoreImageBuildTime:true
                }
            }
        }
        post {
            always {
                // The post section lets you run the publish step regardless of the scan results
                prismaCloudPublish resultsFilePattern: 'prisma-cloud-scan-results.json'
            }
        }
    }
  8. Click Save.

  9. Click Build Now.

  10. After the build completes, examine the results.

    1. The Status page shows a summary of each build step:

      jenkins pipeline project stage view
    2. Click on a step to view the log messages for that step:

      jenkins pipeline project stage logs
    3. Scan step returned result:

      The criteria for passing or failing a scan is determined by the CI vulnerability and compliance policies set in Console. The default CI vulnerability policy alerts on all CVEs detected. The default CI compliance policy alerts on all critical and high compliance issues.

      There are two reasons why prismaCloudScanImage scan step might return a failed result.

      • The scan failed because the scanner found issues that violate your CI policy.

      • Prisma Cloud Compute Jenkins plugin failed to run due to an error.

      In order to understand the reason for the failure, view the step’s log messages, or move to the Jenkins Console Output page. Another option that can help you differentiate the reason for the failure could be to create preliminary steps to the scan step in order to check the Console’s availability, network connectivity, etc.

      Anyhow, although the return value is ambiguous — you cannot determine the exact reason for the failure by just examining the return value — this setup supports automation. From an automation process perspective, you expect that the entire flow will work. If you scan an image, with or without a threshold, either it works or it does not work. If it fails, for whatever reason, you want to fail everything because there is a problem.

    4. Scan reports are available in the following locations:

      • Prisma Cloud Console: Log into Console, and go to Monitor > Vulnerabilities > Images > CI.

      • Jenkins: Drill down into the build job, then click Image Vulnerabilities to see a detailed report.