Jenkins Integration (Example)

Jenkins's default content security policies don't allow Jenkins to serve the HTML generated by IaC without some configuration in advance. We require you to modify the content security policy if you want to serve the HTML directly from Jenkins. This integration is provided as an example setup and may vary based on your specific environment.

To temporarily relax these policies, run

  • System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline'; font-src *; img-src *;") in the Jenkins Console.

Changing content security policies

Changing content security policies in this way will only be effective until Jenkins's next startup.

Product name to be replaced

You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn't affect the configuration or the product's functionality, and we will notify you as we replace these component names.

Create a Jenkins Project

To configure a freeform Jenkins project to scan a template with IaC Security, you will need to set up a project using the steps below:

  1. Click the New Item button.

  2. Click Freestyle Project and enter a name.

  3. Configure the integration with your version control system using the Source Code Management portion of the Project configuration page.
    Configure Build Triggers as desired.

  4. If your InsightCloudSec installation or script requires authentication to run IaC Security scans, choose credentials and bind them to environment variables in your build environment.

    • For our provided tool mimics, the expected flag is --api-key. You'll need to generate an API Key prior to setting up this integration.
    • IaC will require authentication to initiate scans if it is configured with the iac_auth_required variable set to 1 in the SystemSettings table.

  5. Configure an Execute Shell build step with the following command calling mimics.

If using Terraform:
text
1
# Generate a Terraform plan and convert it to JSON
2
terraform plan -out tf.plan
3
terraform show -json tf.plan > tf.plan.json
4


5
# Run our IaC tool.
6
docker run \
7
  -v $WORKSPACE:/data \
8
  -e MIMICS_BASE_URL=$ICS_BASE_URL \
9
  -e MIMICS_API_KEY=$ICS_API_KEY \
10
  public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan \
11
  data/tf.plan.json \
12
  -c "My IaC Config Name" \
13
  --report-formats all \
14
  --report-path "/data/reports" \
15
  --no-progress
If using AWS CloudFormation:
text
1
# Run our IaC tool.
2
docker run \
3
  -v $WORKSPACE:/data \
4
  -e MIMICS_BASE_URL=$ICS_BASE_URL \
5
  -e MIMICS_API_KEY=$ICS_API_KEY \
6
  public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan \
7
  data/my_cft.yml \
8
  -c "My IaC Config Name" \
9
  --report-formats all \
10
  --report-path "/data/reports" \
11
  --no-progress
  1. Configure a post-build action to archive the HTML and/or JSON output created by the command above.
  2. Click Save.

Jenkins Pipeline

If you use Jenkins pipelines for configuration-as-code and repeatability benefits, check out the following example pipeline configurations for reference and modify to fit your needs.

AWS CloudFormation (Jenkins)

Jenkins Pipeline Example - CFT

text
1
pipeline {
2
   agent any
3
 
4
   stages {
5
        stage('Submit CloudFormation Template to InsightCloudSec') {
6
            environment {
7
                ICS_BASE_URL = "https://<ICS Base URL>/"
8
                ICS_API_KEY = credentials("ics-api-key")
9
                WORKSPACE = "${env.WORKSPACE}"
10
            }
11
            steps {
12
                script {
13
                    try {
14
                        sh 'docker run -v $WORKSPACE:/data -e MIMICS_BASE_URL=$ICS_BASE_URL -e MIMICS_API_KEY=$ICS_API_KEY public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan data/my_cft.yml -c "My IaC Config Name" --report-formats all --report-path "/data/reports" --no-progress'
15
                    } catch (e) {
16
                        throw e
17
                    } finally {
18
                        archiveArtifacts 'reports/scan_output.*'   
19
                    }
20
                }
21
            }
22
        }
23
    }
24
}

Terraform (Jenkins)

Jenkins Pipeline Example - TF

text
1
pipeline {
2
   agent any
3
 
4
   stages {
5
       stage('Generate Terraform Plan') {
6
            steps {
7
                sh 'terraform plan -out tf.plan'
8
                sh 'terraform show -json tf.plan > tf.plan.json'
9
                stash includes: 'tf.plan.json', name: 'cloudsec-iac-security-stash'
10
            }
11
        }   
12
        stage('Submit Terraform Plan to InsightCloudSec') {
13
            environment {
14
                ICS_BASE_URL = "https://<ICS Base URL>/"
15
                ICS_API_KEY = credentials("ics-api-key")
16
                WORKSPACE = "${env.WORKSPACE}"
17
            }
18
            steps {
19
                unstash 'cloudsec-iac-security-stash'
20
                script {
21
                    try {
22
                        sh 'docker run -v $WORKSPACE:/data -e MIMICS_BASE_URL=$ICS_BASE_URL -e MIMICS_API_KEY=${{ ICS_API_KEY }} public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan data/tf.plan.json -c "My IaC Config Name" --report-formats all --report-path "/data/reports" --no-progress'
23
                    } catch (e) {
24
                        throw e
25
                    } finally {
26
                        archiveArtifacts 'scan_output.html'   
27
                    }
28
                }
29
            }
30
        }
31
    }
32
}