Introduction
Architecture
Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryRegister a build artifactRegister a deployed environment artifactStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookRun Argo WorkflowsDeploy with AWS CodeDeployCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuBuild a container image with KanikoDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCoverity on PolarisFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Introductioncloudbees and other context objectsenvnameonjobs.<job_id>.delegates.<job_id>.env.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Manage workflows
Reusable workflows
Personal access tokens
Trigger a workflow remotely
IntroductionManual approval
IntroductionJob logsService logsEvidenceTest resultsBuild artifactsDeployments
CI insights for Jenkins
Introduction
Learn about feature flags
Create flags in code
Create/manage flags in the UI
Configure feature flags
Audit history
Configuration as code
Flag impressions and activity status
Properties, custom properties, and target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAngular appDjango appGin app.NET Core appReact appSpring Boot app
Introduction
API examples
API reference

Security center

4 minute read

The security center dashboard provides a single location to review security issues and findings, and their severity. It automatically triggers an implicit security analysis whenever you create a component, or commit changes to the repository linked to a component, and displays the results. It displays the results of these scans with a rich context, such as the line of code where a security issue is discovered, and details from the security tool including reference links and remediation suggestions. It can also, where available, display results from security tools added in explicit workflows.

On the CloudBees platform:

  • Issues are security issues reported by security tools.

  • Findings are individual occurrences of a security issue reported in a branch, file, or code location.

  • Severity is the rating reported by the security tool that discovered the finding.

Use the security center

The security center is only displayed in the navigation once a component has been selected.

To access the security center:

  1. Select an organization. Optionally, select a component.

  2. Select Security  Security center.

Security Center
Figure 1. Security center

  1. Review the GitHub organization and repository names, the branch name, the date and time of the last scan.

  2. Select a branch.

  3. Review the total number of findings, the number of findings by severity, and the number of findings within or that have breached the SLA.

    Select a number of findings to filter issues by that severity, or by findings within or that have breached the SLA.

  4. Review the total number of findings, grouped by security tool. Select a tool’s number of findings to filter issues by that tool.

  5. Filter issues by one or more of:

    • Asset type.

    • Category:

      • Configuration.

      • License violation.

      • Operational risk.

      • Penetration testing outcome.

      • Policy violation.

      • SCA.

      • Secret violation.

      • Threat modelling outcome.

      • Vulnerability.

    • Severity:

      • Very High.

      • High.

      • Medium.

      • Low.

    • SLA status:

      • Breached SLA.

      • Within SLA.

    • Status (For further information on status, refer to Triage findings):

      • Open.

      • In progress.

      • Resolved.

      • False positive.

      • Risk accepted.

      • Closed.

    • Security tool.

  6. Review the number of findings of each status. Select a status to filter findings by that status. For further information about status, refer to Triage findings.

  7. Review security issue information:

    • Severity: the severity rating reported by the security tool that discovered the finding. Select to review detailed information on each finding of the issue, including:

      • File Name: The name of the file where the finding was discovered. Select the file name to navigate to the line in the file where the finding is located.

      • Tools: The tool that discovered the finding.

      • Further details: Review further information provided by the security tool, including CWE reference, and raw data for the finding. Where multiple tools report the same finding, select a tool from the dropdown menu to see information from that tool.

    • Code: The vulnerability code, or CWE or CVE number of the issue.

    • Name: The name of the issue.

    • Category: The category of the issue.

    • Findings: The number of findings of that issue.

    • Scanning tools: The tools that reported the issue.

    • First identified: When the issue was first reported.

Triage findings

By default, when a security scan detects an issue, a new finding is created in the security center with its status set to Unreviewed. From here, you should transition its status to Fix Required, at which point it is moved to the Fix Required tab.

During the triage process, a qualified security or DevOps SME is likely to uncover findings that either fall within your tolerance for risk, or are false positives, neither of which require remediation. In the CloudBees platform, you can transition the status of these findings to Risk Accepted if you have decided not to fix the issue or to False Positive if you believe the security finding is incorrect. Transition all other findings to Fix Required.

Once a finding has been transitioned to Risk Accepted or False Positive, its status wont be affected by new scans. Resolved findings are automatically updated. Once a developer fixes all the associated findings, the source code management platforms such as GitHub or Bitbucket inform the CloudBees platform, which initiates a new scan. If the scan doesn’t find any violations, the finding is automatically marked as closed in your collaboration tool, and its status updated to Resolved.

To triage findings:

  1. Select an organization. Optionally, select a component.

  2. Select Security  Security center.

  3. For the issue containing the asset you want to review, select to expand the issue.

  4. Select Triage.

  5. Select one of the following:

    • Fix Required: The finding needs to be fixed.

    • False Positive: The finding is incorrect, or not an actionable issue. Selecting false positive immediately updates the status of the finding, and it appears in dashboards as a false positive finding.

      The user can transition the finding back for further triage. An organization owner can also reject the transition to false positive, which reverts the status to Unreviewed.

      • For Justification, enter comments for the organization owner, explaining why the finding is a false positive.

    • Risk Accepted: the issue falls within your risk tolerance. Transition to risk accepted requires approval by an organization owner.

      • For Expiry date, select a date for the risk acceptance to expire. Defaults to 90 days.

      • For Justification, enter comments for the organization owner, explaining why the finding falls within risk tolerance.

  6. Select Triage Finding:

    • Fix Required findings are moved to the Fix Required tab.

    • False Positive and Risk Accepted findings are moved to the Awaiting Approval tab, to be reviewed by an organization owner.

Approve or deny transitions

Transition requests are approved or denied by an organization owner. To approve or deny a transition request:

  1. From the Security Center, select the Awaiting Approval tab.

  2. For the issue containing the asset you want to review, select to expand the issue.

  3. Select Review.

  4. Select either:

    • Approved

    • Denied

  5. For approved findings, enter an Expiry Date for the approval.

  6. Enter any review comments.

  7. Select Submit review:

    • Approved transitions change to the relevant status, false positives indefinitely, and risk accepted findings for the selected timeframe (90 days by default).

      For risk accepted findings, the SLA due date is replaced with the risk-acceptance expiry date. Once the expiry date passes and a scan completes, the finding reverts back to unreviewed status, and the SLA due date reverts back to the current SLA setting for the organization.

    • Denied transitions have their status changed:

      • Denied false positives to Unreviewed.

      • Denied risk accepted to Fix required.

Introduction
Security overview