Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Manage workflows
Introductioncloudbees and other context objectsenvnameonpermissionsjobs.<job_id>.<job_id>.delegates.<job_id>.env.<job_id>.vars.<job_id>.secrets.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Reusable workflows
Personal access tokens
Trigger a workflow using an API
IntroductionManual approval
Connect a repositoryCreate a workflowRun a scanPublish an image
Introduction
Get started with feature flags
Create flags in code
Manage multiple SDK keys in your application
Create and manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Configuration as code
Flag impressions and activity status
Flag health
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

Manage security tools

5 minute read

CloudBees platform integrates third-party security tools, such as SAST or DAST scanners, for use in implicit security assessments. These tools are activated and reviewed from the Marketplace.

The Marketplace can be accessed at organization level, or at component level. Enable or disable tools at organization level, and review the status of each tool at component level.

To access the Marketplace:

  1. Select an organization. Optionally, select a component.

  2. Select Security  Marketplace.

ASPM Marketplace
Figure 1. ASPM Marketplace

  1. Select to filter tools by Category, Tags, or Tooling, or clear all filters.

  2. Search for a security tool, or filter by activated or available tools.

  3. Select to enable or disable implicit security assessment. Implicit security assessment can be enabled or disabled at both tenant and sub-organization level.

    Disabling implicit security assessment turns off automatic security analysis for all the components associated with the selected organization and its sub-organizations. For further details, refer to Organization hierarchy, and override records.

  4. Select to toggle security tools:

    • For the tenant organization, select to activate or deactivate security tools for all child organizations. Only tools that have been activated at the tenant organization level can be enabled for sub-organizations.

    • For sub-organizations, select to enable or disable security tools for that organization only. Re-enabling a disabled tool for a sub-organization restores any previous configuration of that tool.

    Only users with the Admin user role in the organization can enable or disable security tools.

  5. Select Configure to configure a security tool. This option is only available for certain tools that require configuration, such as Black Duck SCA or Coverity on Polaris.

    Any user can view the configuration of a security tool, but only users with the Admin user role in the organization can configure them.

Organization hierarchy, and override records

Enabling or disabling a security tool, or implicit security assessment, is done at the organization level. Changes made to the tenant organization affect all of its child organizations. Below tenant-organization level, changes made to an organization create an override record, such that changes to its parent do not affect that organization.

For example, in the image below, enabling a security tool for the tenant organization would enable it for all three child organizations. If you then disabled it for Child organization 1, it would also disable it for Child organization 3.

Activating a different security tool for Child organization 1 would activate it for Child organization 3, unless that tool had already been deactivated for Child organization 3, which would have created an override record.

Organization hierarchy
Figure 2. Organization hierarchy
Deactivating a security tool for the tenant organization disables it for all child organizations, irrespective of override records.

Configurable tools and inheritance

Certain tools, such as Black Duck SCA, Coverity on Polaris, and SonarQube, must be configured when they are enabled for an organization. When you configure a tool, you are able to specify whether to allow child organizations to inherit that configuration, or require them to be configured separately. This inheritance can be changed at any time.

Configuration values set within sub-organizations are preserved even if inheritance is disabled and later re-enabled. This ensures that any admin-defined settings at the sub-organization level remain in place until explicitly updated.

Changing whether child organizations inherit their configuration does not change their configuration in itself. Once inheritance is enabled or disabled, you must update configuration at either the parent level (for inheritance enabled), or the child level (for inheritance disabled), to change the child organization’s configuration.

Configure Perforce Klocwork SAST

Perforce Klocwork SAST must be configured in the Marketplace before it can be used for implicit security analysis. To configure Klocwork SAST:

  1. In the Marketplace, select Configure for Klocwork SAST.

  2. In the Klocwork SAST Configuration dialog, enter the following details:

    • Select whether to allow child organizations to inherit this configuration.

    • Configuration based on: Select whether to authenticate using credentials, or an application token.

    • Select Enable Klocwork Agent Scan to run a change-only scan with kwciagent. This provides a quick way to confirm that small, recent code changes are clean, as long as a full scan has already been run on the project.

    • Klocwork host URL: The URL of your Klocwork server.

    • Klocwork license server hostname: The hostname of your Klocwork license server.

    • Klocwork license server port: The port number of your Klocwork license server.

    • Klocwork username: The username used to authenticate with the Klocwork server.

    • Klocwork application token or Klocwork password: The application token or password used to authenticate with the Klocwork server.

  3. Select Save to save the configuration.

Available security tools

The following security tools can currently be configured on the CloudBees platform:

Code security scanners

For Coverity on Polaris, findings redirection to the exact line of code is not supported. CloudBees platform redirects to the file containing the issue, but does not highlight the line number, because this is not supported by the Coverity tool itself.
Security tool Description Supported languages Explicit or implicit Scan type Installation type

Black Duck SCA

Scans open-source dependencies for known vulnerabilities and license risks.

Supported languages

Explicit

Code

Both single and multi tenant

Checkov

Scans cloud infrastructure configurations, including Terraform and Cloud Formation scripts.

Supported IAC types

Implicit

Code

Both single and multi tenant

Coverity on Polaris

Enterprise-grade static analysis for code security and quality.

Supported languages

Explicit

Code

Both single and multi tenant

Gitleaks

Scans Git repositories for sensitive content, such as credentials.

N/A (language agnostic)

Implicit

Code

Both single and multi tenant

Gosec

An open source Golang security scanner.

Supported languages

Implicit

Code

Both single and multi tenant

Klocwork

A SAST tool that checks code against secure coding rules to help identify and fix critical vulnerabilities early.

Implicit

Code

Single tenant

Njsscan

An open source Node.js security scanner.

Supported languages

Implicit

Code

Both single and multi tenant

SCC Scanner

An application software language analyzer. SCC Scanner is enabled on the CloudBees platform by default.

Supported languages

Implicit

Code

Single-tenant

Snyk SAST

Scans source code to identify security weaknesses early in the development process.

Supported languages

Implicit

Code

Both single and multi tenant

SonarQube

Detects bugs, code smells, and security vulnerabilities across multiple languages.

  • C#

  • Go

  • Java

  • JavaScript

  • PHP

  • Python

  • Ruby

Explicit

Code

Both single and multi tenant
Binary security scanners
Security tool Description Supported languages Explicit or implicit Scan type Installation type

FindSecBugs

An open source Java security scanner. Used in CloudBees to scan binary .jar files.

Supported languages

Implicit

Binary

Both single and multi tenant

Grype

A vulnerability scanner for container images, SBOMs, and file systems.

Supported languages

Implicit

Binary

Both single and multi tenant

Syft SBOM

Generates software bills of materials (SBOMs) from containers and binaries.

Supported formats

Implicit

Binary

Both single and multi tenant

Trivy

A Docker image scanner that supports OS packages and language-specific dependencies.

Supported languages

Implicit

Binary

Both single and multi tenant
Security overview
Code and binary security analysis