Introduction
Architecture
Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with SpinnakerRun Ansible PlaybookDeploy with HerokuDeploy with AWS CodeDeployDeploy with AWS Elastic BeanstalkDeploy with Tosca
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate new requestUpdate existing requestGet change request state
Publish test results
CI insights for Jenkins

Code and binary security analysis

2 minute read

The CloudBees platform performs an implicit security analysis, automatically triggering scans on code assets when you create a component, or when you commit changes to a linked repository. It also automatically triggers scans on binary assets whenever a workflow runs successfully with the upload artifact build step.

Findings from security scans are displayed in the Security center and in the components security summary.

Implicit code security analysis

To enable implicit code security analysis:

  1. Select an organization from the dropdown in the left navigation.

  2. Select the Security dropdown from the left navigation; then select Marketplace.

  3. Toggle Implicit security assessment to active.

  4. Activate one or more code security tools, such as Checkov or Gosec. For further information, refer to Available security tools.

Once enabled, an implicit security scan is triggered automatically when you perform the following actions:

  • Create a component.

  • Commit a change, or create a branch, in any repository linked to a component.

Binary security analysis

The CloudBees platform also performs binary security analysis. Currently, it uses CloudBees platform workflows, and triggers a binary scanner such as Trivy or FindSecBugs whenever a configured workflow is invoked. For a full list of scanners currently available for security analysis, refer to Available security tools.

This capability will eventually be expanded to become implicit, using AWS and JFrog master and decorator plugins to connect to an account, scan repositories of interest, detect when new images are pushed to the repository, and trigger an implicit security scan when an image is pushed.

To trigger a binary security analysis of files produced by a workflow, add the following to the workflow:

- id: upload-binary
        name: Upload binary using action
        uses: calculi-corp/assets-plugin-chain-utils/upload-binary@v1
        with:
          file-path: directory/subdirectory/container-image.tar(1)
          file-type: BINARY_CONTAINER(2)
1 Replace the contents of file-path with the path to your binary file. The path is relative to the CloudBees workspace. file-path must always point to a file.
2 Two file types are supported:

  • BINARY_CONTAINER: A container image file.

  • BINARY_JAR: Use this if you have a workflow that checks out Java code to build a .jar executable.

Once added to your workflow, every time you upload a binary file to the specified path, upload-binary triggers a secondary workflow which scans the file.

Scan findings sit alongside the code security analysis results in the Security center, attributed to a component branch.

Binary findings in the security center only relate to the last produced binary. Unlike the code asset profile for a component or branch, which is retained over time and updated with the latest results, each produced binary becomes a separate asset profile with its own set of findings, so only the latest is important.
Manage security tools
SBOM analysis