- Created by Hector Ruiz, last modified by Daniel Colon on Jul 19, 2022
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 13 Current »
OBTAINING PLUGIN
To obtain the officially-supported version of the Jenkins plugin, developed by Denim Group to integrate with ThreadFix 2.5.0.3 onward, please download it here.
INSTALLING PLUGIN
- Click Manage Jenkins
- Click Manage Plugins
- Click "Advanced" tab
- Under "Upload Plugin" choose the file we sent you and click Upload
- When the plugin is installed you will need to restart Jenkins
- Go back to Manage Jenkins
- Click Configure Jenkins
- Find the "ThreadFix Scan Executions" section. Put your ThreadFix URL (it must end with /rest). Take extra care with your port names and servers (for example, if both Jenkins and ThreadFix use port 8080 on their respective servers)
- Select an API Version to use, "Latest" should be sufficient
- Input a ThreadFix API Key with the permissions necessary to run any tasks you want to do with Jenkins
- Save changes. Jenkins plugin is installed and configured.
USING PLUGIN
1. Go to job and open Configuration page
2. Add Build Steps or Post Build Actions. There are currently 5 different types of actions, listed below, and you can run the steps multiple times in a single job.
I. BUILD STEP - Execute ThreadFix Scan
This action allows ThreadFix to request Checkmarx to begin a scan. In order to use it, you must have a ThreadFix Application that is mapped to a Checkmarx Remote Provider Application. The ThreadFix Application should also have a Source Code Repository configured or Local Source code. Here are the fields to configure:
- Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"
- Test - Remote Provider Application name. It will not appear here unless it is mapped to the application and is a Checkmarx application
- Incremental - Check this to use Checkmarx's Incremental scan feature
- Synchronous - Check this and the Jenkins job will wait until Checkmarx has returned a "Finished Scanning" signal before it continues. If 30 minutes pass and the scan is not finished, the Jenkins job will continue regardless
- Git identifier - Enter a git branch name, git tag name, or git commit id in this field. Used in conjunction with Identifier type
- Identifier type - Select whether the string in the "Git identifier" field is a branch name, tag name, or commit id
II. BUILD STEP - Execute ThreadFix Scan Agent Scan
This action allows ThreadFix to Queue a Scan Agent Task in ThreadFix. Note that this only queues the task, it does not execute it. If a Scan Agent is running and able to receive tasks of the specified scanner type, it will be able to pull that task and start a scan. Here are the fields to configure:
- Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"
- Scan Type - The type of Scan Agent Scanner to queue a task for. As I write this, the supported scanner types are: Acunetix WVS, AppSpider, Burp Suite Pro, Security AppScan Standard, Nessus, OWASP Zed Attack Proxy, WebInspect
- Synchronous - If you check this, the Jenkins job will not continue until the a Scan Agent has requested the Scan Agent Task and completed it. If the task is not completed before 30 minutes have passed, the Jenkins job will continue regardless. NOTE: Be sure to have a Scan Agent ready to pull the task if you check this box!
- Target Url - The URL to scan with the Scan Agent task
III. POST-BUILD ACTION - Add CI/CD Policy Evaluation
This action allows ThreadFix to evaluate an Application against all of the CI/CD Pass Criteria it is attached to. You can check the status of the evaluation on each Pass Criteria in the ThreadFix UI by going to the CI/CD Policies page. If every CI/CD Policy Evaluation fails, the Jenkins job is marked as "Failed".
To access the ThreadFix-related actions, select "ThreadFix Reporting Action" from the Post-build Actions menu, then click the Add menu and select "Add CI/CD Policy evaluation."
Here are the fields to configure:
- Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"
- From - Specify a date here and the Pass Criteria will only be evaluated against vulnerabilities from scans you uploaded after this date. Leave it empty and all uploaded scans will be considered up to the "To" date.
- To - Specify a date here and the Pass Criteria will only be evaluated against vulnerabilities from scans you uploaded before this date. Leave it empty and all uploaded scans will be considered starting from the "From" date. Leave both empty and all scans will be considered
IV. POST-BUILD ACTION - Add Remote Provider scan import
This action allows ThreadFix to import a scan from a Remote Provider. ThreadFix will request scans and once they have all been added to the Scan Upload Queue, the Jenkins job will continue. Take note that this means the scan data is not in the application before the Jenkins job continues. Here are the fields to configure:
- Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"
- Remote Provider - The Remote Provider application to import from. They will be listed as "<Remote Provider Name> - <Remote Provider Application Name>"
V. POST-BUILD ACTION - Upload scan file
This action allows ThreadFix to upload a scan file to an application. ThreadFix will send the scan file to the Scan Upload Queue and the Jenkins job will continue. Take note that this means the scan data is not in the application before the Jenkins job continues. Here are the fields to configure:
- Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"
- Scan File Location - The location of the file on your Jenkins server to upload to ThreadFix. An example path would be "/var/jenkins_home/workspace/scanFiles/appScan-01-28-19.xml".
- No labels