Introduction
Architecture
Onboard
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with Spinnaker
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
Publish test results

Security center

2 minute read

The security center provides a single location to review security issues and findings, and their severity. It automatically triggers an implicit security analysis whenever you create a component, or commit changes to the repository linked to a component, and displays the results. It displays the results of these scans with a rich context, such as the line of code where a security issue is discovered, and details from the security tool including reference links and remediation suggestions. It can also, where available, display results from security tools added in explicit workflows.

In CloudBees platform:

  • Issues are security issues reported by security tools.

  • Findings are individual occurrences of a security issue reported in a branch, file, or code location.

  • Severity is the rating reported by the security tool that discovered the finding.

Use the security center

The security center is only displayed in the navigation once a component has been selected

To access the security center:

  • Select a component from the dropdown in the left navigation.

  • Select the Security dropdown from the left navigation, then select Security center.

Security Center
Figure 1. Security center

  1. Review the GitHub organization and repository names, the branch name, the date and time of the last scan.

  2. Select a branch.

  3. Review the total number of findings, and the number of findings by severity.

  4. Filter issues by one or more of:

    • Severity:

      • Very High.

      • High.

      • Medium.

      • Low.

    • Category:

      • Configuration.

      • License violation.

      • Operational risk.

      • Penetration testing outcome.

      • Policy violation.

      • SCA.

      • Secret violation.

      • Threat modelling outcome.

      • Vulnerability.

    • Security tool.

  5. Review the total number of findings, grouped by security tool.

  6. Review security issue information:

    • Severity: the severity rating reported by the security tool that discovered the finding. Select to review detailed information on each finding of the issue, including:

      • File Name: The name of the file where the finding was discovered. Select the file name to navigate to the line in the file where the finding is located.

      • Tools: The tool that discovered the finding.

      • Further details: Review further information provided by the security tool, including CWE reference, and raw data for the finding. Where multiple tools report the same finding, select a tool from the dropdown menu to see information from that tool.

    • Code: The vulnerability code or CWE number of the issue.

    • Name: The name of the issue.

    • Category: The category of the issue.

    • Findings: The number of findings of that issue.

    • Scanning tools: The tools that reported the issue.

    • First identified: When the issue was first reported.