Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
📙 You will learn
How to get, install, and configure the Jenkins plugin with ThreadFix.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 20 minutes
Tools required: Jenkins Plugin (see below)
Jenkins Plugin
To obtain the officially-supported version of the Jenkins plugin, developed by Denim Group to integrate with ThreadFix 2.5.0.3 onward, please download it it here.
INSTALLING PLUGIN
ClickInstalling Jenkins Plugin
Click Manage Jenkins.
- Click
Click Manage Plugins
Clickand click on the "Advanced" tab.
Under "Upload Plugin" choose the file
we sent you and click Uploaddownloaded earlier and click Upload.
When the plugin is installed
you will need to, restart Jenkins.
Go back toReturn to Manage Jenkins
Clickand click Configure Jenkins
Find. In the "ThreadFix Scan Executions" section
. Put yourenter the user ThreadFix URL (it must end with /rest)
. Take, for example
https://<IP>/threadfix/rest
. Take extra care with your port names and servers (for example, if both Jenkins and ThreadFix use port 8080 on their respective servers)Select an API Version to use, "Latest" should be sufficient.
Input a ThreadFix API Key with the permissions necessary to run any desired tasks
you want to dowith Jenkins
. Save
changes.any changes that have been made; the Jenkins plugin is now installed and configured.
Using Plugin
1.Go to job and open the Configuration page.
Add Build Steps or Post Build Actions.
There are currently 5 different types of actions, listed below,
the steps can be run
multiple times in a single job.
Build Steps
Build Step - Execute ThreadFix Scan
This action allows ThreadFix to request Checkmarx to begin a scan. In order to use it, you the user must have a ThreadFix Application that is mapped to a Checkmarx Remote Provider Application. The ThreadFix Application should also have a Source Code Repository configured or Local Source code. Here Below are the fields to configure:
Application - ThreadFix Application.
TheyThey will be listed as "<Team Name> - <Application Name>"
Test - Remote Provider Application name.
ItIt will not appear here unless it is mapped to the application and is a Checkmarx application
Incremental - Check this to use Checkmarx's Incremental scan feature
Synchronous - Check this and the Jenkins job will wait until Checkmarx has returned a "Finished Scanning" signal before it continues. If 30 minutes pass and the scan is not finished, the Jenkins job will continue regardless
Git identifier - Enter a git branch name, git tag name, or git commit id in this field. Used in conjunction with Identifier type
Identifier type - Select whether the string in the "Git identifier" field is a branch name, tag name, or commit id
Build Step - Execute ThreadFix Scan Agent Scan
This action allows ThreadFix to Queue a Scan Agent Task in ThreadFix. Note that this only queues the task, it does not execute it. If If a Scan Agent is running and able to receive tasks of the specified scanner type, it will be able to pull that task and start a scan. Here are the fields to configure:
Application - ThreadFix Application.
TheyThey will be listed as "<Team Name> - <Application Name>"
Scan Type - The type of Scan Agent Scanner to queue a task for.
As I write this, the supportedSupported scanner types are: Acunetix WVS, AppSpider, Burp Suite Pro, Security AppScan Standard, Nessus, OWASP Zed Attack Proxy, WebInspect
Synchronous - If
you check thischecked, the Jenkins job will not continue until the
aScan Agent has requested the Scan Agent Task and completed it. If the task is not completed before 30 minutes have passed, the Jenkins job will continue regardless. NOTE:
BeIf this is checked, be sure to have a Scan Agent ready to pull the task
if you check this box!.
Target Url - The URL to scan with the Scan Agent task
Post Build Action - Add CI/CD Policy Evaluation
This action allows ThreadFix to evaluate an Application against all of the CI/CD Pass Criteria it is attached to. You can check Check the status of the evaluation on each Pass Criteria in the ThreadFix UI by going to the CI/CD Policies page. If every CI/CD Policy Evaluation fails, the Jenkins job is marked as "Failed".
To access the ThreadFix-related actions, select "ThreadFix Reporting Action" from the Post-build Build Actions menu, then click the Add menu and select "Add CI/CD Policy evaluation."
Here Below are the fields to configure:
Application - ThreadFix Application
. They will be, listed as "<Team Name> - <Application Name>"
From -
SpecifyIf a date is specified here
andthe Pass Criteria will only be evaluated against vulnerabilities from scans
youuploaded after this date.
Leave itIf left empty
andall uploaded scans will be considered up to the "To" date.
To -
SpecifyIf a date is specified here
andthe Pass Criteria will only be evaluated against vulnerabilities from scans
youuploaded before this date.
Leave itIf left empty
andall uploaded scans will be considered starting
fromas of the "From" date.
Leave bothIf left empty
andall scans will be considered
.
Post Build Action - Add Remote Provider
scan importScan Import
This action allows ThreadFix to import a scan from a Remote Provider. ThreadFix ThreadFix will request scans and once they have all been added to the Scan Upload Queue, the Jenkins job will continue. Take Take note that this means the scan data is not in the application before the Jenkins job continues. Here Below are the fields to configure:
Application - ThreadFix Application
. They will be, listed as "<Team Name> - <Application Name>"
Remote Provider - The Remote Provider application to import from. They will be listed as "<Remote Provider Name> - <Remote Provider Application Name>"
POST-BUILD ACTION - Upload scan file
This action allows ThreadFix to upload a scan file to an application. ThreadFix ThreadFix will send the scan file to the Scan Upload Queue and the Jenkins job will continue. Take Take note that this means the scan data is not in the application before the Jenkins job continues. Here Below are the fields to configure:
Application - ThreadFix Application
. They will be, listed as "<Team Name> - <Application Name>"
Scan File Location - The location of the file on
yourthe user’s Jenkins server to upload to ThreadFix. An example path would be "/var/jenkins_home/workspace/scanFiles/appScan-01-28-19.xml".
Table of Contents
Table of Contents |
---|