1. Overview

Prisma Cloud provides a Jenkins plugin that lets you incorporate vulnerability and compliance scanning into your continuous integration pipeline. The plugin scans container images and serverless functions.

The Jenkins plugin can downloaded directly from Console (Manage > System > Downloads). It’s also delivered with the release tarball that you download from Releases.

In order to interoperate, both Console and the Jenkins plugin must be from the same release.
The Jenkins plugin is built for Jenkins on Linux. To scan images with Jenkins on other operating systems, use a platform-specific twistcli binary.

2. Build and scan flow

After Jenkins builds a container image or serverless function package, the Prisma Cloud plugin scans it for vulnerabilities and compliance issues.

Prisma Cloud can pass or fail builds, depending on the types of issues discovered, and the policies set in Console. By incorporating scanning into the build phase of the development workflow, developers get immediate feedback about what needs to be fixed. The scan report provides all the information required to fix the vulnerabilities.

The sequence of events is described below:

  1. An developer commits a change, which triggers a build.

  2. Jenkins builds the container image.

  3. Jenkins calls the Prisma Cloud plugin for scanning. The plugin collects data about the image, including the packages and binaries in the image, and submits it to Console for analysis.

  4. Console returns a list of vulnerabilities and compliance issues.

  5. The Prisma Cloud plugin passes or fails the build depending upon your policy.

    For more information about configuring a scan, see: Setting up a Freestyle project, Setting up a Maven project, or Setting up a Pipeline project.

    For more information about targeting rules created in Console to the Jenkins plugin, see Set policy in the CI plugins.

  6. Scan results can be reviewed in the following locations:

    • Directly in the Jenkins tool, including the project/job page and dashboard view.

    • In Prisma Cloud Console, in the Monitor > Vulnerabilities > {Images | Functions} > CI pages.

When scanning multiple images in a single build, results do not appear correctly in the Jenkins dashboard view or vulnerability trends table/graph. Only trend data for the last image scanned is shown. Instead, go to Console to see scan results for all images in the build.

3. Installing the Prisma Cloud Jenkins plugin

Install the Jenkins plugin.

The build console output in Jenkins may show the message - "No CA cert was specified, using insecure connection". This message is generated because twistcli, which the Jenkins plugin wraps, checks the Console’s trust chain by default. When twistcli is run directly, the --tlscacert parameter can be passed to specify the signer, so this message is not shown. To simplify configuration, the Jenkins plugin doesn’t provide this option, hence why the message is shown. The connection between Jenkins and Console is still fully encrypted with TLS.
The Prisma Cloud Jenkins plugin uses the proxy settings specified in your Jenkins HTTP proxy configuration, which can be found in Manage Jenkins > Manage Plugins > Advanced.

Prerequisites:

  • Your version of Jenkins meets Prisma Cloud’s minimum requirements.

  • You have installed Prisma Cloud Console on a host in your environment.

  • Your Jenkins host can reach Prisma Cloud Console over the network.

  • We recommend adding a Prisma Cloud user with the CI User role to minimize privileges on Console. For more information, see User roles.

  1. Validate that the Jenkins host can communicate with Prisma Cloud Console.

  2. Open the Jenkins top page.

  3. Install the Prisma Cloud Jenkins plugin.

    The Jenkins plugin can downloaded directly from Console (Manage > System > Downloads). It’s also delivered with the release tarball that you download from Releases.

    1. Click Manage Plugins (in the left menu bar), and then click the Advanced tab.

    2. Scroll down to Upload Plugin, and click Choose File.

    3. Navigate to the folder where you unpacked the Prisma Cloud download and select prisma-cloud-jenkins-plugin.hpi.

    4. Click Upload.

  4. Configure the Prisma Cloud plugin.

    1. Go to the Jenkins top page, and then click Manage Jenkins > Configure System.

    2. Scroll down to the Prisma Cloud section.

      Prisma Cloud plugin config
    3. In the Address field, enter the URL for Prisma Cloud Console.

    4. In the User and Password fields, enter the CI role user’s credentials for Prisma Cloud Console.

    5. Click Test Connection to validate that the Jenkins plugin can communicate with Prisma Cloud Console.

    6. Click Save.

4. Scan artifacts

When a build completes, you can view the scan results directly in Jenkins. To support integration with other processes and applications in your organization, Prisma Cloud scan reports can be retrieved from several locations.

Full scan reports for the latest build can be retrieved from:

  • The scan results file in the project’s workspace (by the name configured in the scan steps).

  • The Prisma Cloud API. For more information, see the /api/v1/scans endpoint for downloading Jenkins scan results.

For example, if you use ThreadFix to maintain a consolidated view of vulnerabilities across all your organization’s applications, you could create a post-build action which triggers ThreadFix’s Jenkins plugin to grab Prisma Cloud’s scan report from the project workspace and upload it to the ThreadFix server.

To download the scan report from Console using the Prisma Cloud API, use the following command:

$ curl -k \
  -u <COMPUTE_CONSOLE_USER> \
  https://<COMPUTE_CONSOLE>/api/v1/scans/download?search=<IMAGE_NAME> \
  > scan_report.csv

5. Ignore image creation time

A common stumbling point is the "Ignore Image Build Time" option. This option checks the time the image was created against the time your Jenkins build started. If the image was not created after the start of your current build, the scan is bypassed. The plugin, by default, scans any image generated as part of your build process, but ignores images not created or updated as part of the build.

Keep in mind the nature of Docker creation time in regards to images. If nothing changes in the image, the creation time isn’t updated. This could lead to a scenario where an image is built and scanned in one job, but not scanned in subsequent jobs because the creation time wasn’t updated because the image didn’t change.

6. Post build cleanup

Most pipelines push images to the registry after passing Prisma Cloud’s vulnerability and compliance scan step. Pipelines also have a final cleanup step that removes images from the local Docker cache. If your build fails, and the pipeline is halted, use a post section to clean up the Docker cache. The post section of a pipeline is guaranteed to run at the end of a pipeline’s execution.

For more information, see the Jenkins documentation.

7. What’s next?

Set up a build job and configure Prisma Cloud to scan the Docker image generated from the job.

For more information, see:

Notifications of build failures can be enabled using existing Jenkins plugins, for example: