Configure security scanning in your CloudBees CI or Jenkins® Pipeline to maintain the security and integrity of your software assets. Set up your Jenkinsfile to run security scans with various tools including SAST, SCA, container, and secret scanning, then publish results to CloudBees Unify for enhanced analytics and vulnerability tracking.
| Before you begin, ensure you have completed the CI or Jenkins integration. For setup instructions, refer to Connect CI and Jenkins controllers. |
Set up security scanning on your Multibranch Pipeline
Set up your Jenkinsfile to install scanning tools, run scans, and publish security scan reports for ingestion to CloudBees Unify, to leverage its enhanced analytics.
To enable security scan reports from your CI build to CloudBees Unify:
-
Complete the steps in Connect CI and Jenkins controllers.
-
Configure your Jenkinsfile to install, run, and publish scans as described below.
Supported scanning tools
CloudBees Unify supports the following security scanning tools:
| Scanning tool | Type |
|---|---|
Black Duck |
SCA |
Checkov |
SAST |
CodeQL |
SAST |
findsecbugs |
SAST |
Gitleaks |
Secrets |
Gosec |
SAST |
Grype |
SAST |
njsscanner |
SAST |
Snyk |
SAST |
Trivy |
Container |
SonarQube |
SAST |
JFrog |
SCA, Container |
Configure your Jenkinsfile to install, run, and publish scans
Use the registerSecurityScan step to indicate which Security Scan Result must be sent to CloudBees Unify.
For the full parameter specification, refer to registerSecurityScan reference.
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
Security scan to include. Wildcards are supported. |
|
String |
No |
|
|
String |
No |
If the |
|
String |
No |
Describes if the reports must also be archived in the Jenkins build. The default value is |
Example of a Pipeline stage including the step:
pipeline { stages { stage('Security Scan') { steps { registerSecurityScan( // Security Scan to include artifacts: "scan*", format: "sarif", scanner: "the-scanner", archive: true ) } } } }
Examples for scanners that support SARIF format
SARIF is a widely accepted standard used for sharing results from static analysis tools, especially in CI/CD environments.
The following examples illustrate how to use scanners that support SARIF format.
Black Duck sample Pipeline
Add the following steps to your Jenkinsfile to install, run, and publish the results of a Black Duck scan to CloudBees Unify.
| 1 | Download and extract Bridge CLI. Use Black Duck Bridge, not Black Duck Detect, for scanning. |
| 2 | Run the scan with SARIF output. The shell command should be formed as above. You must include blackducksca_reports_sarif_groupSCAIssues=false. |
| 3 | Check the SARIF report. |
Examples for scanners that do not support SARIF format
The following examples illustrate how to use scanners that do not support SARIF format.
Anchore sample Pipeline
Add the following steps to your Jenkinsfile to install, run, and publish the results of an Anchore scan to CloudBees Unify.
SonarQube sample Pipeline
If you are using SonarQube and want to send results to your CloudBees Unify instance, you must use the exportSonarQubeScan step to generate and download the scanning results from SonarQube in a single step, as SonarQube does not provide an easy way to do this.
|
Add the following steps to your Jenkinsfile to install, run, and publish the results of a SonarQube scan to CloudBees Unify.
Run an automatically triggered implicit scan of your source code
Implicit scanning in CloudBees Unify refers to the automatic security analysis of source code without requiring explicit user intervention. This process ensures continuous security checks by automatically triggering scans whenever certain events occur, such as:
-
The creation of a new component.
-
Committing changes in a connected repository.
-
Generating an artifact from a CI build.
Enable implicit security scanning to provide ongoing security monitoring.