Introduction
Architecture
Onboard
Introduction
Teams
Users
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with SpinnakerRun Ansible Playbook
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
Publish test results
CI insights for Jenkins

Manage security tools

2 minute read

CloudBees platform integrates third-party security tools, such as SAST or DAST scanners, for use in implicit security assessments. These tools are activated and reviewed from the Marketplace.

The Marketplace can be accessed at organization level, or at component level. Enable or disable tools at organization level, and review the status of each tool at component level.

To access the Marketplace:

  • Select an organization or component from the dropdown in the left navigation.

  • Select the Security dropdown from the left navigation, then select Marketplace.

ASPM Marketplace
Figure 1. ASPM Marketplace

  1. Select to filter tools by Category, Tags, or Tooling, or clear all filters.

  2. Search for a security tool.

  3. Select to toggle implicit security assessment. Disabling implicit security assessment turns off automatic security analysis for all the components associated with the selected organization and its sub-organizations.

  4. Select to enable or disable security tools. This can only be done at organization level.

Only users with the Admin user role in the organization can enable or disable security tools.

Organization hierarchy, and override records

Enabling or disabling a security tool, or implicit security assessment, is done at the organization level. Changes made to the root organization affect all of its child organizations. Below root-organization level, changes made to an organization create an override record, such that changes to its parent won’t affect that organization.

For example, in the image below, enabling a security tool for the Root organization would enable it for all three child organizations. If you then disabled it for Child organization 1, it would also disable it for Child organization 3.

Activating a different security tool for Child organization 1 would activate it for Child organization 3, unless that tool had already been deactivated for Child organization 3, which would have created an override record.

Organization hierarchy
Figure 2. Organization hierarchy
Disabling a security tool for the root organization disables it for all child organizations, irrespective of override records.

Available security tools

The following security tools can currently be configured in CloudBees platform:

Implicit security scanners

Security tool

Description

FindSecBugs

An open source Java security scanner.

Gitleaks

Scans Git repositories for sensitive content, such as credentials.

Gosec

An open source Golang security scanner.

Grype

A Docker image scanner.

Njsscan

An open source Node.js security scanner.

SCC Scanner

An application software languyage analyser. SCC Scanner is enabled in CloudBees platform by default.

Syft SBOM

Generates software bills of materials (SBOMs) from containers and binaries.

Trivy

A Docker image scanner.
Security center