Qualys IaC Security Integration with Jenkins
Qualys IaC Security CLI shifts compliance validation earlier in the development pipeline by scanning infrastructure-as-code templates before deployment rather than after resources are live in the cloud. The solution evaluates configuration files against predefined controls to identify misconfigurations during the build phase, enabling teams to prevent misconfigurations before they happen. This approach reduces remediation costs and risk exposure by catching security issues when they are cheapest to fix, while integrations with popular CI/CD tools like Jenkins, GitHub, and GitLab embed scanning directly into existing development workflows.
The security scans in the current continuous integration and continuous deployment (CI/CD) environment are performed on cloud resources after deployment. This approach focuses on securing cloud resources once they are provisioned in the respective cloud accounts and helps identify configuration issues in already deployed resources.
With the introduction of the Infrastructure as Code (IaC) security feature in Qualys TotalCloud, organizations can validate IaC templates during development. The IaC Security feature evaluates templates against security and compliance policies, providing developers with visibility into configuration issues and policy violations during template creation and modification stages.
Qualys TotalCloud integrates with GitHub to secure Git repositories using GitHub Actions, enabling scans to IaC templates stored in GitHub repositories. The integration evaluates templates against Qualys TotalCloud security controls and reports detected misconfigurations for each workflow run. This provides visibility into the security posture of IaC templates stored in repositories and helps teams plan remediation activities accordingly. Follow this guide for more details.
For supported templates, other integrations, and features of Cloud IaC Security, refer to TotalCloud Online Help and TotalCloud API User Guide.
Scan IaC Templates at Jenkins
The Jenkins integration allows you to perform IaC scans using a pipeline job. We provide you with a pipeline job and options that you can configure to run based on various triggers.
You can perform an IaC scan on either of the following:
- The entire git repository.
- The templates that were newly added or updated to the branch.
The results are generated on the build console that provides you with proactive visibility into the security of your IaC templates residing in git repositories.
Prerequisites
- Added new columns network_id and apply_To_Agent to table Agent_Activation_key. Network_id is store network id of the activation key, and the checkbox value is stored in the apply_To_Agent column.
- Ensure that you have a valid docker pipeline plugin installed.
- Ensure to configure environment variables used in the pipeline script before you run the pipeline job in Jenkins. For more info, refer to Configure Environment Variables.
- To auto-trigger a Jenkins pipeline job, ensure that you install a specific Source Code Management (SCM) plugin, e.g., Bitbucket plugin or Bitbucket Server Integration. For auto-trigger, the pipeline job must contain a Jenkins file.
- Docker must be installed on the Jenkins agent node.
- Ensure that you have a valid Qualys TotalCloud Security Assessment application subscription.