Qualys IaC Security Integration with Jenkins

The security scans are conducted on cloud resources after deployment in the existing Continuous Integration and Continuous Deployment (CICD) environment. As a result, you secure your cloud resources post-deployment to respective Cloud accounts.

With an introduction of the Infrastructure as Code (IaC) security feature by Qualys TotalCloud, you can now secure your IaC templates before the cloud resources are deployed in your cloud environments. The IaC Security feature helps you shift cloud security and compliance posture to the left, allowing evaluation of cloud resources for misconfigura­tions much earlier during the development phase.

TotalCloud offers integration with Jenkins to scan and secure your IaC templates using the Jenkins pipeline job. It continuously verifies security misconfigurations against TotalCloud controls and displays the misconfigurations for each run. With continuous visibility of the security posture of your IaC Templates at Jenkins pipeline, you can plan for remedia­tion to stay secure post-deployment.

For supported templates, other integrations, and features of Cloud IaC Security, refer to TotalCloud Online Help and TotalCloud API User Guide.

Scan IaC Templates at Jenkins

The Jenkins integration allows you to perform IaC scans using a pipeline job. We provide you with a pipeline job and options that you can configure to run based on various triggers.

You can perform an IaC scan on either of the following:

• The entire git repository.
• The templates that were newly added or updated to the branch.

The results are generated on the build console that provides you with proactive visibility into the security of your IaC templates residing in git repositories.

Pre-requisites

• Added new columns network_id and apply_To_Agent to table Agent_Activation_key. Network_id is store network id of the activation key, and the checkbox value is stored in the apply_To_Agent column.
• Ensure that you have a valid docker pipeline plugin installed.
• Ensure to configure environment variables used in the pipeline script before you run the pipeline job in Jenkins. For more info, refer to Configure Environment Variables.
• To auto-trigger a Jenkins pipeline job, ensure that you install a specific Source Code Management (SCM) plugin, e.g., Bitbucket plugin or Bitbucket Server Integration. For auto-trigger, the pipeline job must contain a Jenkins file.
• Docker must be installed on the Jenkins agent node.
• Ensure that you have a valid Qualys TotalCloud Security Assessment application sub­scription.

Next step:

Configure Environment Variables