Jenkins Integration (Example)

Overview of Integrating Jenkins with InsightCloudSec IaC Scans

Jenkins's default content security policies don't allow Jenkins to serve the HTML generated by IaC without some configuration in advance. We require you to modify the content security policy if you want to serve the HTML directly from Jenkins. This integration is provided as an example setup and may vary based on your specific environment.

To temporarily relax these policies, run

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "default-src 'self'; style-src 'self' 'unsafe-inline'; font-src *; img-src *;") in the Jenkins Console.

Note: Changing content security policies in this way will only be effective until Jenkins's next startup.

To relax these policies automatically at startup, you can run the above command in a post-initialization script.

📘
Value Names (DivvyCloud vs. InsightCloudSec)
Some values specified on this page use our former product name DivvyCloud vs. InsightCloudSec.
Updates to the naming of these configuration components will be communicated when changes are made.

Create a Jenkins Project

To configure a freeform Jenkins project to scan a template with IaC Security, you will need to set up a project using the steps below:

1. Click the "New Item" button.

2. Click "Freestyle Project" and enter a name.

3. Configure the integration with your version control system using the "Source Code Management" portion of the Project configuration page.

Configure Build Triggers as desired.

4. If your InsightCloudSec installation or script requires authentication to run IaC Security scans, choose credentials and bind them to environment variables in your build environment.

For our provided tool mimics, the expected flag is --api-key. You'll need to generate an API Key prior to setting up this integration.
IaC will require authentication to initiate scans if it is configured with the iac_auth_required variable set to 1 in the SystemSettings table.

1602 — Jenkins Build Environment Bindings

5. Configure an Execute Shell build step with the following command calling mimics.

If using Terraform:

# Generate a Terraform plan and convert it to JSON
terraform plan -out tf.plan
terraform show -json tf.plan > tf.plan.json

# Run our IaC tool.
docker run \
  -v $WORKSPACE:/data \
  -e MIMICS_BASE_URL=$ICS_BASE_URL \
  -e MIMICS_API_KEY=$ICS_API_KEY \
  public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan \
  data/tf.plan.json \
  -c "My IaC Config Name" \
  --report-formats all \
  --report-path "/data/reports" \
  --no-progress

If using AWS CloudFormation:

# Run our IaC tool.
docker run \
  -v $WORKSPACE:/data \
  -e MIMICS_BASE_URL=$ICS_BASE_URL \
  -e MIMICS_API_KEY=$ICS_API_KEY \
  public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan \
  data/my_cft.yml \
  -c "My IaC Config Name" \
  --report-formats all \
  --report-path "/data/reports" \
  --no-progress

6. Configure a post-build action to archive the HTML and/or JSON output created by the command above.

7. Click "Save".

Jenkins Pipeline

If you use Jenkins pipelines for configuration-as-code and repeatability benefits, check out the following example pipeline configurations for reference and modify to fit your needs.

AWS CloudFormation (Jenkins)

pipeline {
   agent any
 
   stages {
        stage('Submit CloudFormation Template to InsightCloudSec') {
            environment {
                ICS_BASE_URL = "https://<ICS Base URL>/"
                ICS_API_KEY = credentials("ics-api-key")
                WORKSPACE = "${env.WORKSPACE}"
            }
            steps {
                script {
                    try {
                        sh 'docker run -v $WORKSPACE:/data -e MIMICS_BASE_URL=$ICS_BASE_URL -e MIMICS_API_KEY=$ICS_API_KEY public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan data/my_cft.yml -c "My IaC Config Name" --report-formats all --report-path "/data/reports" --no-progress'
                    } catch (e) {
                        throw e
                    } finally {
                        archiveArtifacts 'reports/scan_output.*'   
                    }
                }
            }
        }
    }
}

Terraform (Jenkins)

pipeline {
   agent any
 
   stages {
       stage('Generate Terraform Plan') {
            steps {
                sh 'terraform plan -out tf.plan'
                sh 'terraform show -json tf.plan > tf.plan.json'
                stash includes: 'tf.plan.json', name: 'cloudsec-iac-security-stash'
            }
        }   
        stage('Submit Terraform Plan to InsightCloudSec') {
            environment {
                ICS_BASE_URL = "https://<ICS Base URL>/"
                ICS_API_KEY = credentials("ics-api-key")
                WORKSPACE = "${env.WORKSPACE}"
            }
            steps {
                unstash 'cloudsec-iac-security-stash'
                script {
                    try {
                        sh 'docker run -v $WORKSPACE:/data -e MIMICS_BASE_URL=$ICS_BASE_URL -e MIMICS_API_KEY=${{ ICS_API_KEY }} public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan data/tf.plan.json -c "My IaC Config Name" --report-formats all --report-path "/data/reports" --no-progress'
                    } catch (e) {
                        throw e
                    } finally {
                        archiveArtifacts 'scan_output.html'   
                    }
                }
            }
        }
    }
}

Updated 10 months ago