Enable and configure security scanning tools in the Marketplace to activate automatic security analysis for your organization and components. Security tools integration allows CloudBees Unify to perform comprehensive security assessments using industry-standard scanners like SAST, DAST, container, and SCA tools.
| You need Admin user role permissions in your organization to enable, disable, or configure security tools. |
Access the Marketplace
The Marketplace provides centralized management for all security tools available in your organization.
To access security tools configuration:
-
Select an organization. Optionally, select a component for component-level view.
-
Select .
The Marketplace interface displays with available and activated security tools.
Enable and disable security tools
Control which security tools are active for automatic security analysis across your organizational hierarchy.
To manage security tool activation:
-
Filter and locate the tools you want to configure:
-
Filter tools by Category, Tags, or Tooling to narrow the list.
-
Search for specific security tools, or filter by activated or available tools.
-
-
Configure implicit security assessment by selecting to enable or disable it for your organization.
Implicit security assessment can be enabled or disabled at both tenant and organization level. Disabling implicit security assessment turns off automatic security analysis for all components associated with the selected organization and its child organizations. -
Activate or deactivate individual security tools:
-
For the root organization, activate or deactivate security tools to control availability for all child organizations.
Only tools that have been activated at the root organization level can be enabled for child organizations. -
For child organizations, enable or disable security tools for that organization only.
Re-enabling a disabled tool for a child organization restores any previous configuration of that tool.
-
Only users with the Admin user role in the organization can enable or disable security tools.
Configure specific security tools
A number of tools require configuration to integrate with CloudBees Unify.
To configure security tools:
-
Select Configure to configure a security tool.
This option is only available for tools that require configuration, such as Black Duck SCA, Coverity on Polaris, SonarQube, or Klocwork SAST. Any user can view the configuration of a security tool, but only users with the Admin user role in the organization can configure them. -
Configure inheritance settings by selecting whether to allow child organizations to inherit this configuration, or require them to be configured separately.
This inheritance can be changed at any time. Configuration values set within child organizations are preserved even if inheritance is disabled and later re-enabled. -
Enter tool-specific configuration details based on your security tool requirements.
Configure Perforce Klocwork SAST
Perforce Klocwork SAST must be configured in the Marketplace before it can be used for implicit security analysis.
To configure Klocwork SAST:
-
In the Marketplace, select Configure for Klocwork SAST.
-
In the Klocwork SAST Configuration dialog, enter the following details:
-
Select whether to allow child organizations to inherit this configuration.
-
Configuration based on: Select whether to authenticate using credentials, or an application token.
-
Select Enable Klocwork Agent Scan to run a change-only scan with kwciagent.
This provides a quick way to confirm that small, recent code changes are clean, as long as a full scan has already been run on the project.
-
Klocwork host URL: The URL of your Klocwork server.
-
Klocwork license server hostname: The hostname of your Klocwork license server.
-
Klocwork license server port: The port number of your Klocwork license server.
-
Klocwork username: The username used to authenticate with the Klocwork server.
-
Klocwork application token or Klocwork password: The application token or password used to authenticate with the Klocwork server.
-
-
Select Save to save the configuration.
The tool becomes available for implicit security analysis across your organization.
For details on how security tool settings cascade through organizational hierarchies, refer to application-security:explanation/understanding-application-security-posture-management.adoc#organizational-hierarchy-inheritance.
Troubleshooting
Problem: Security tool not appearing in component scans
Solution: Verify the tool is activated at the organization level and implicit security assessment is enabled for your organization.
Problem: Child organization cannot enable a security tool
Solution: Ensure the tool is first activated at the root organization level. Only tools activated at the root organization level can be enabled for child organizations.
Problem: Configuration changes not taking effect in child organizations
Solution: Check the inheritance settings for the security tool. If inheritance is disabled, you must configure the tool separately at the child organization level.