As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Jenkins Plugin (ThreadFix 3.X)
You will learn
How to get, install, and configure the Jenkins plugin with ThreadFix.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 20 minutes
Tools required: Jenkins Plugin (see below)
Jenkins Plugin
To obtain the officially-supported version of the Jenkins plugin, developed by Denim Group to integrate with ThreadFix, please download it here.
Installing Jenkins Plugin
Click Manage Jenkins.
Click Manage Plugins and click on the "Advanced" tab.
Under "Upload Plugin" choose the file downloaded earlier and click Upload.
When the plugin is installed, restart Jenkins.
Return to Manage Jenkins and click Configure Jenkins. In the "ThreadFix Scan Executions" section enter the user ThreadFix URL (it must end with /rest), for example
https://<IP>/threadfix/rest
.ÂSelect an API Version to use, "Latest" should be sufficient.
Input a ThreadFix API Key with the permissions necessary to run any desired tasks with Jenkins. Save any changes that have been made; the Jenkins plugin is now installed and configured.
Using Plugin
Go to job and open the Configuration page.
Add Build Steps or Post Build Actions. There are currently 5 different types of actions, listed below, the steps can be run multiple times in a single job.
ThreadFix Certificate
If using a self-signed SSL certificate, the default needs to be replaced. To be able to connect to Jenkins please follow the steps to replace the default self-signed SSL certificate for TLS communication in the environment below:
A certificate for ThreadFix needs to be added to a Jenkins server to ensure a properly functioning integration. To import the ThreadFix certificate, first obtain it using one of several ways:
Using Chrome
Navigate to the site via the Chrome browser.
Right-click within the page and select "Inspect".
Go to the "Security" tab and click the "View certificate" button.
Go to the "Details" tab and click the "Copy to File" button.
Select Base64.
Save the .cer file to the desired directory.
More information can be found at Exporting Certificate Authorities (CAs) from a Website.
Using OpenSSL
Use the following command on a headless server:
openssl s_client -connect ${HOST}:${PORT} > certfile
Import ThreadFix Certificate to the Jenkins trust store
After obtaining the certificate, run the following command to import it into the trust store:
keytool -importcert -file certificate.cer -keystore /path/to/keystore -alias <alias>
Build Steps
Build Step - Execute ThreadFix Scan
This action allows ThreadFix to request Checkmarx to begin a scan. In order to use it, the user must have a ThreadFix Application that is mapped to a Checkmarx Remote Provider Application. The ThreadFix Application should also have a Source Code Repository configured or Local Source code. Below are the fields to configure:
Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"
Test - Remote Provider Application name. It will not appear here unless it is mapped to the application and is a Checkmarx application
Incremental - Check this to use Checkmarx's Incremental scan feature
Synchronous - Check this and the Jenkins job will wait until Checkmarx has returned a "Finished Scanning" signal before it continues. If 30 minutes pass and the scan is not finished, the Jenkins job will continue regardless
Git identifier - Enter a git branch name, git tag name, or git commit id in this field. Used in conjunction with Identifier typeÂ
Identifier type - Select whether the string in the "Git identifier" field is a branch name, tag name, or commit id
Build Step - Execute ThreadFix Scan Agent Scan
This action allows ThreadFix to Queue a Scan Agent Task in ThreadFix. Note that this only queues the task, it does not execute it. If a Scan Agent is running and able to receive tasks of the specified scanner type, it will be able to pull that task and start a scan. Here are the fields to configure:
Application - ThreadFix Application. They will be listed as "<Team Name> - <Application Name>"
Scan Type - The type of Scan Agent Scanner to queue a task for. Supported scanner types are: Acunetix WVS, AppSpider, Burp Suite Pro, Security AppScan Standard, Nessus, OWASP Zed Attack Proxy, WebInspect
Synchronous - If checked, the Jenkins job will not continue until the Scan Agent has requested the Scan Agent Task and completed it. If the task is not completed before 30 minutes have passed, the Jenkins job will continue regardless. NOTE: If this is checked, be sure to have a Scan Agent ready to pull the task.
Target Url - The URL to scan with the Scan Agent task
Post Build Action - Add CI/CD Policy Evaluation
This action allows ThreadFix to evaluate an Application against all of the CI/CD Pass Criteria it is attached to. Check the status of the evaluation on each Pass Criteria in the ThreadFix UI by going to the CI/CD Policies page. If every CI/CD Policy Evaluation fails, the Jenkins job is marked as "Failed".Â
To access the ThreadFix-related actions, select "ThreadFix Reporting Action" from the Post-Build Actions menu, then click the Add menu and select "Add CI/CD Policy evaluation."
Below are the fields to configure:
Application - ThreadFix Application, listed as "<Team Name> - <Application Name>"
From - If a date is specified here the Pass Criteria will only be evaluated against vulnerabilities from scans uploaded after this date. If left empty all uploaded scans will be considered up to the "To" date.
To - If a date is specified here the Pass Criteria will only be evaluated against vulnerabilities from scans uploaded before this date. If left empty all uploaded scans will be considered starting as of the "From" date. If left empty all scans will be considered.
Post Build Action - Add Remote Provider Scan Import
This action allows ThreadFix to import a scan from a Remote Provider. ThreadFix will request scans and once they have all been added to the Scan Upload Queue, the Jenkins job will continue. Take note this means the scan data is not in the application before the Jenkins job continues. Below are the fields to configure:
Application - ThreadFix Application, listed as "<Team Name> - <Application Name>"
Remote Provider - The Remote Provider application to import from. They will be listed as "<Remote Provider Name> - <Remote Provider Application Name>"
POST-BUILD ACTION - Upload scan file
This action allows ThreadFix to upload a scan file to an application. ThreadFix will send the scan file to the Scan Upload Queue and the Jenkins job will continue. Take note this means the scan data is not in the application before the Jenkins job continues. Below are the fields to configure:
Application - ThreadFix Application, listed as "<Team Name> - <Application Name>"
Scan File Location - The location of the file on the user’s Jenkins server to upload to ThreadFix. An example path would be "/var/jenkins_home/workspace/scanFiles/appScan-01-28-19.xml".
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.2 Jenkins Plugin
- 1.2.1 Installing Jenkins Plugin
- 1.2.2 Using Plugin
- 1.2.3 ThreadFix Certificate
- 1.2.3.1 Using Chrome
- 1.2.3.2 Using OpenSSL
- 1.2.4 Import ThreadFix Certificate to the Jenkins trust store
- 1.3 Build Steps
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.