Manage security tools

3 minute read

CloudBees platform integrates third-party security tools, such as SAST or DAST scanners, for use in implicit security assessments. These tools are activated and reviewed from the Marketplace.

The Marketplace can be accessed at organization level, or at component level. Enable or disable tools at organization level, and review the status of each tool at component level.

To access the Marketplace:

  1. Select an organization. Optionally, select a component.

  2. Select Security  Marketplace.

ASPM Marketplace
Figure 1. ASPM Marketplace
  1. Select to filter tools by Category, Tags, or Tooling, or clear all filters.

  2. Search for a security tool.

  3. Select to toggle implicit security assessment. Disabling implicit security assessment turns off automatic security analysis for all the components associated with the selected organization and its sub-organizations.

  4. Select to enable or disable security tools. This can only be done at organization level.

Only users with the Admin user role in the organization can enable or disable security tools.

Organization hierarchy, and override records

Enabling or disabling a security tool, or implicit security assessment, is done at the organization level. Changes made to the root organization affect all of its child organizations. Below root-organization level, changes made to an organization create an override record, such that changes to its parent won’t affect that organization.

For example, in the image below, enabling a security tool for the Root organization would enable it for all three child organizations. If you then disabled it for Child organization 1, it would also disable it for Child organization 3.

Activating a different security tool for Child organization 1 would activate it for Child organization 3, unless that tool had already been deactivated for Child organization 3, which would have created an override record.

Organization hierarchy
Figure 2. Organization hierarchy
Disabling a security tool for the root organization disables it for all child organizations, irrespective of override records.

Available security tools

The following security tools can currently be configured on the CloudBees platform:

Code security scanners
Security tool Description Supported languages Explicit or implicit Scan type Installation type

Black Duck SCA

Scans open-source dependencies for known vulnerabilities and license risks.

Explicit

Code

Both single and multi tenant

Checkov

Scans cloud infrastructure configurations, including Terraform and Cloud Formation scripts.

Implicit

Code

Both single and multi tenant

Coverity on Polaris

Enterprise-grade static analysis for code security and quality.

Explicit

Code

Both single and multi tenant

Gitleaks

Scans Git repositories for sensitive content, such as credentials.

N/A (language agnostic)

Implicit

Code

Both single and multi tenant

Gosec

An open source Golang security scanner.

Implicit

Code

Both single and multi tenant

Njsscan

An open source Node.js security scanner.

Implicit

Code

Both single and multi tenant

SCC Scanner

An application software language analyzer. SCC Scanner is enabled on the CloudBees platform by default.

Implicit

Code

Single-tenant

SonarQube

Detects bugs, code smells, and security vulnerabilities across multiple languages.

Explicit

Code

Both single and multi tenant

Binary security scanners
Security tool Description Supported languages Explicit or implicit Scan type Installation type

FindSecBugs

An open source Java security scanner. Used in CloudBees to scan binary .jar files.

Implicit

Binary

Both single and multi tenant

Grype

A vulnerability scanner for container images, SBOMs, and file systems.

Implicit

Binary

Both single and multi tenant

Syft SBOM

Generates software bills of materials (SBOMs) from containers and binaries.

Implicit

Binary

Both single and multi tenant

Trivy

A Docker image scanner that supports OS packages and language-specific dependencies.

Implicit

Binary

Both single and multi tenant