Jenkins for code scans - Administrator Guide - Cortex Cloud Posture Management

Jenkins for code scans - Administrator Guide - Cortex Cloud Posture Management - Cortex CLOUD

Cortex Cloud Runtime Security Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Runtime Security

Creation date

2024-12-24

Last date published

2026-06-10

Note

Jenkins onboarding offers both code and CI/CD scanning. A single integrated instance supports either code or CI scanning, but not both. If you require both code and CI scanning for your Jenkins servers, you must create two separate integrations, selecting the appropriate scanning type for each. To onboard Jenkins for CI/CD scans, refer to Jenkins for CI/CD pipeline scans.

Prerequisite

Grant Administrator permissions to the user integrating Cortex Cloud Application Security with Jenkins
Egress path: Create an egress path to establish the designated route for outbound data transmission from Cortex Cloud to third party services. For more information about configuring egress paths, refer to Egress configurationsEgress configurations

Onboarding steps

On the Cortex Cloud console:
1. Navigate to Settings → Data Sources & Integrations → + Add New.
2. Search for and hover over Jenkins and click Add, or Add Another Instance if an instance is already onboarded.
On the Select Integration step of the Jenkins integration, select Code Scan → Next.
On the Add Environment Variables step of the wizard.
1. Select Generate API key.
  The API key secret and API key ID values are generated and populate their respective fields.
2. Select your system architecture.
3. Click Next.
Store your Cortex Cloud API Key and API ID in the Jenkins Credentials store.
Danger
- For Cortex Cloud Application Security CI tools, you must store secrets in Jenkins Credentials for use in your Jenkins pipelines using either of these methods:
  Plain text storage: Store secrets directly as plain text in Jenkins Credentials. Access them in your pipeline using the credentials function, which retrieves the secret directly as plain text
  Credentials Binding Plugin: Use the withCredentials function (requires installing the Credentials Binding Plugin) to securely bind credentials to environment variables within your pipeline
- The variable names CORTEX_API_KEY and CORTEX_API_KEY_ID must be used exactly as provided. They are part of a predefined system and cannot be changed without causing errors
- If you have an API key:
  1. Copy the CORTEX_API_KEY and CORTEX_API_KEY_ID variable names from their respective fields in the wizard.
  2. Add the CORTEX_API_KEY and CORTEX_API_KEY_ID names and their corresponding values as separate environment variables (secrets) to the Jenkins Credentials store.
- If you do not have an API key:
  1. Click Generate API key → Copy the CORTEX_API_KEY and CORTEX_API_KEY_ID and their corresponding values from their respective fields.
  2. Add the CORTEX_API_KEY and CORTEX_API_KEY_ID names and their corresponding values as separate environment variables (secrets) to the Jenkins Credentials store.
On the Set repository step of the wizard: (Optional): Add the URL of the repository to be scanned, or skip this step if you are adding code scanning to an existing pipeline → Next.
Note
- This step is only required for new pipelines
- For private repositories, ensure the necessary credentials are configured in Jenkins Credentials
On the Configure Subscription step of the integration wizard.
1. Copy and paste the code from the Configure Subscription step of the integration wizard into your Jenkins pipeline.
2. In the labels property of your Jenkins configuration file, enter the label of a Jenkins node that is configured with Docker.
  Note
  This ensures your build runs within a Docker environment. If a node without Docker is used, the build will fail.
3. Optional: The provided code assumes that your Cortex Cloud access key and ID are stored as plain text in Jenkins Credentials. You can replace this method with your preferred secret management solution (such as the withCredentials function).
4. Click Done.
Verify you receive the confirmation message on the last step of the wizard → Close.
Verify integration and confirm that the your integrated Jenkins instance has a status of Connected.
1. On the Data Sources & Integrations page, search for Jenkins in the search bar.
2. Hover over and select the resulting entry.
3. Locate and verify that the status of your instance is Connected.
Next step: View scan results and mitigate issues.

Jenkins code scan workflow template (without checkout)

This Jenkins workflow example automates code scanning using the Cortex CLI. It does not include a step to checkout a repository. The workflow contains placeholder values (often in brackets) and generic terms (such as dev) that you must replace with your environment-specific information before use.

pipeline {
    agent {
        docker {
            image 'jenkins/agent:alpine'
            args '-u root --privileged -v /var/run/docker.sock:/var/run/docker.sock'
            label '<REPLACE WITH LABEL OF NODE WITH DOCKER INSTALLED>' // Use a docker agent with docker installed
        }
    }

    environment {
        CORTEX_API_KEY = credentials('CORTEX_API_KEY')
        CORTEX_API_KEY_ID = credentials('CORTEX_API_KEY_ID')
        CORTEX_API_URL = '<YOUR_CORTEX_URL>'// Your placeholder
        CORTEX_CLI_VERSION = '0.8.11'
    }

    stages {

        stage('Install Dependencies') {
            steps {
                sh '''
                apk add --no-cache jq docker
                '''
            }
        }

        stage('Get Temporary Token') {
            environment {
                TEMP_TOKEN = ""
            }
            steps {
                script {
                    def response = sh(script: """
                        curl --location '${env.CORTEX_API_URL}/public_api/cas/v1/cortex-cli/create-token' \
                          --header 'Authorization: ${env.CORTEX_API_KEY}' \
                          --header 'x-xdr-auth-id: ${env.CORTEX_API_KEY_ID}' \
                          --header 'Content-Type: application/json' \
                          --data '{}' \
                          -s
                    """, returnStdout: true).trim()

                    env.TEMP_TOKEN = sh(script: """echo '${response}' | jq -r '.token'""", returnStdout: true).trim()
                }
            }
        }

        stage('Pull Docker Image') {
            steps {
                sh """
                docker pull distributions-dev.traps.paloaltonetworks.com/cli-docker/${env.TEMP_TOKEN}/method:amd64-${env.CORTEX_CLI_VERSION}-dev
                docker tag distributions-dev.traps.paloaltonetworks.com/cli-docker/${env.TEMP_TOKEN}/method:amd64-${env.CORTEX_CLI_VERSION}-dev cortexcli:${env.CORTEX_CLI_VERSION}
                """
            }
        }

        stage('Run Docker Container') {
            // Replace the repo-id with your repository like: owner/repo
            steps {
                unstash 'source'
                env.BRANCH = sh(script: "git rev-parse --abbrev-ref HEAD", returnStdout: true).trim()
                sh """
                docker run --rm --platform linux/amd64 cortexcli:${env.CORTEX_CLI_VERSION} \
                  --api-base-url ${env.CORTEX_API_URL} \
                  --api-key ${env.CORTEX_API_KEY} \
                  --api-key-id ${env.CORTEX_API_KEY_ID} \
                  code scan \
                  --directory . \
                  --repo-id <REPLACE WITH REPO_OWNER/REPO_NAME> \
                  --branch $BRANCH
                """
            }
        }
    }
}

Jenkins code scan workflow template (with checkout)

This Jenkins workflow example automates code scanning using the Cortex CLI. It includes a step to checkout a repository. The workflow contains placeholder values (often in brackets) and generic terms (such as dev) that you must replace with your environment-specific information before use.

pipeline {
    agent {
        docker {
            image 'jenkins/agent:alpine'
            args '-u root --privileged -v /var/run/docker.sock:/var/run/docker.sock'
            label '<REPLACE WITH LABLE OF NODE WITH DOCKER INSTALLED>' // Use a docker agent with docker installed
        }
    }

    environment {
        CORTEX_API_KEY = credentials('CORTEX_API_KEY')
        CORTEX_API_KEY_ID = credentials('CORTEX_API_KEY_ID')
        CORTEX_API_URL = '<YOUR_CORTEX_URL>' // Your placeholder
        CORTEX_CLI_VERSION = '0.8.11'
    }

    stages {
        stage('Checkout Repository') {
            steps {
                git branch: 'main', url: 'https://github-example.com/example-repo'
                stash includes: '**/*', name: 'source'
            }
        }

        stage('Install Dependencies') {
            steps {
                sh '''
                apk add --no-cache jq docker
                '''
            }
        }

        stage('Get Temporary Token') {
            environment {
                TEMP_TOKEN = ""
            }
            steps {
                script {
                    def response = sh(script: """
                        curl --location '${env.CORTEX_API_URL}/public_api/cas/v1/cortex-cli/create-token' \
                          --header 'Authorization: ${env.CORTEX_API_KEY}' \
                          --header 'x-xdr-auth-id: ${env.CORTEX_API_KEY_ID}' \
                          --header 'Content-Type: application/json' \
                          --data '{}' \
                          -s
                    """, returnStdout: true).trim()

                    env.TEMP_TOKEN = sh(script: """echo '${response}' | jq -r '.token'""", returnStdout: true).trim()
                }
            }
        }

        stage('Pull Docker Image') {
            steps {
                sh """
                docker pull distributions-dev.traps.paloaltonetworks.com/cli-docker/${env.TEMP_TOKEN}/method:amd64-${env.CORTEX_CLI_VERSION}-dev
                docker tag distributions-dev.traps.paloaltonetworks.com/cli-docker/${env.TEMP_TOKEN}/method:amd64-${env.CORTEX_CLI_VERSION}-dev cortexcli:${env.CORTEX_CLI_VERSION}
                """
            }
        }

        stage('Run Docker Container') {
            // Replace the repo-id with your repository like: owner/repo
            steps {
                unstash 'source'
                env.BRANCH = sh(script: "git rev-parse --abbrev-ref HEAD", returnStdout: true).trim()
                sh """
                docker run --rm --platform linux/amd64 cortexcli:${env.CORTEX_CLI_VERSION} \
                  --api-base-url ${env.CORTEX_API_URL} \
                  --api-key ${env.CORTEX_API_KEY} \
                  --api-key-id ${env.CORTEX_API_KEY_ID} \
                  code scan \
                  --directory . \
                  --repo-id <REPLACE WITH REPO_OWNER/REPO_NAME> \
                  --branch $BRANCH
                """
            }
        }
    }
}

Manage data source integrations

Manage integrations to align with evolving requirements and ensure they remain current.

Navigate to Settings → Data Sources & Integrations and use the Vendor filter to located the required integration.
Select your vendor from the list.
The integrated instances for the selected vendor are displayed.
Right-click on an instance and select an option:
- Edit instance: Redirects to the Select Repositories step of the integration wizard, where you can modify configurations for the selected instance. For more details, refer to the relevant integration guide
- Delete instance: When confirmed, deletes the instance, including data from previous scans
- Copy entire row – Copies all column values for the selected row to the clipboard.

Note

Prerequisite

Onboarding steps

Danger

Note

Note

Jenkins code scan workflow template (without checkout)

Jenkins code scan workflow template (with checkout)

Manage data source integrations