Open

You will learn

How to get, install, and configure the Jenkins plugin with ThreadFix.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 20 minutes
Tools required: Jenkins Plugin (see below)

Jenkins Plugin

To obtain the officially-supported version of the Jenkins plugin, developed by Denim Group to integrate with ThreadFix, please download it here.

Installing Jenkins Plugin

1. Click Manage Jenkins.
   
   

2. Click Manage Plugins and click on the "Advanced" tab.
   
   

3. Under "Upload Plugin" choose the file downloaded earlier and click Upload.
   
   

4. When the plugin is installed, restart Jenkins.
   
   

5. Return to Manage Jenkins and click Configure Jenkins. In the "ThreadFix Scan Executions" section enter the user ThreadFix URL (it must end with /rest), for example https://<IP>/threadfix/rest. Take extra care with your port names and servers (for example, if both Jenkins and ThreadFix use port 8080 on their respective servers)
   
   

6. Select an API Version to use, "Latest" should be sufficient.
   
   

7. Input a ThreadFix API Key with the permissions necessary to run any desired tasks with Jenkins. Save any changes that have been made; the Jenkins plugin is now installed and configured.

Using Plugin

1. Go to job and open the Configuration page.
   
   

2. Add Build Steps or Post Build Actions. There are currently 5 different types of actions, listed below, the steps can be run multiple times in a single job.

Build Steps

Build Step - Execute ThreadFix Scan

This action allows ThreadFix to request Checkmarx to begin a scan. In order to use it, the user must have a ThreadFix Application that is mapped to a Checkmarx Remote Provider Application. The ThreadFix Application should also have a Source Code Repository configured or Local Source code.  Below are the fields to configure:

• Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"

• Test - Remote Provider Application name. It will not appear here unless it is mapped to the application and is a Checkmarx application

• Incremental - Check this to use Checkmarx's Incremental scan feature

• Synchronous - Check this and the Jenkins job will wait until Checkmarx has returned a "Finished Scanning" signal before it continues.  If 30 minutes pass and the scan is not finished, the Jenkins job will continue regardless

• Git identifier - Enter a git branch name, git tag name, or git commit id in this field.  Used in conjunction with Identifier type 

• Identifier type - Select whether the string in the "Git identifier" field is a branch name, tag name, or commit id

Build Step - Execute ThreadFix Scan Agent Scan

This action allows ThreadFix to Queue a Scan Agent Task in ThreadFix.  Note that this only queues the task, it does not execute it. If a Scan Agent is running and able to receive tasks of the specified scanner type, it will be able to pull that task and start a scan.  Here are the fields to configure:

• Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"

• Scan Type - The type of Scan Agent Scanner to queue a task for.  Supported scanner types are: Acunetix WVS, AppSpider, Burp Suite Pro, Security AppScan Standard, Nessus, OWASP Zed Attack Proxy, WebInspect

• Synchronous - If checked, the Jenkins job will not continue until the Scan Agent has requested the Scan Agent Task and completed it.  If the task is not completed before 30 minutes have passed, the Jenkins job will continue regardless.  NOTE: If this is checked, be sure to have a Scan Agent ready to pull the task.

• Target Url - The URL to scan with the Scan Agent task

Post Build Action - Add CI/CD Policy Evaluation

This action allows ThreadFix to evaluate an Application against all of the CI/CD Pass Criteria it is attached to. Check the status of the evaluation on each Pass Criteria in the ThreadFix UI by going to the CI/CD Policies page. If every CI/CD Policy Evaluation fails, the Jenkins job is marked as "Failed". 

To access the ThreadFix-related actions, select "ThreadFix Reporting Action" from the Post-Build Actions menu, then click the Add menu and select "Add CI/CD Policy evaluation."

Below are the fields to configure:

• Application - ThreadFix Application, listed as "<Team Name> - <Application Name>"

• From - If a date is specified here the Pass Criteria will only be evaluated against vulnerabilities from scans uploaded after this date. If left empty all uploaded scans will be considered up to the "To" date.

• To - If a date is specified here the Pass Criteria will only be evaluated against vulnerabilities from scans uploaded before this date. If left empty all uploaded scans will be considered starting as of the "From" date. If left empty all scans will be considered.

Post Build Action - Add Remote Provider Scan Import

This action allows ThreadFix to import a scan from a Remote Provider. ThreadFix will request scans and once they have all been added to the Scan Upload Queue, the Jenkins job will continue. Take note this means the scan data is not in the application before the Jenkins job continues.  Below are the fields to configure:

• Application - ThreadFix Application, listed as "<Team Name> - <Application Name>"

• Remote Provider - The Remote Provider application to import from.  They will be listed as "<Remote Provider Name> - <Remote Provider Application Name>"

POST-BUILD ACTION - Upload scan file

This action allows ThreadFix to upload a scan file to an application. ThreadFix will send the scan file to the Scan Upload Queue and the Jenkins job will continue. Take note this means the scan data is not in the application before the Jenkins job continues. Below are the fields to configure:

• Application - ThreadFix Application, listed as "<Team Name> - <Application Name>"

• Scan File Location - The location of the file on the user’s Jenkins server to upload to ThreadFix.  An example path would be "/var/jenkins_home/workspace/scanFiles/appScan-01-28-19.xml".

Table of Contents