Jenkins security controls

You can define security controls for Jenkins:

  • At a system level,

  • as a post-build action step,

  • or for pipelines.

Define security controls at a system level

After you define a connection in Jenkins, define if you are using freestyle jobs, you may want to set Contrast vulnerability security controls at a system level. Alternatively, you can set security controls at a job level, or if you use a job outcome policy those security controls will take precedence.

  1. Under Contrast Connections > Contrast Vulnerability Security Controls, select a Connection you have previously created, from the drop-down menu.

  2. Set the Number of Allowed Vulnerabilities. This number is exclusive; if you set it to "5", Jenkins will fail if there are six or more vulnerabilities. This field is required.

  3. Choose a Vulnerability Severity from the options in the drop-down menu. (These are the same vulnerability severity options in Contrast.) The plugin sets a filter in the API call for all vulnerabilities greater than or equal to this field. This field is not required, but selecting it will narrow your results. So if the number is set to "5" and the severity to High, Jenkins will fail if there are six or more critical vulnerabilities.

  4. Choose a Vulnerability Type (rule name) from the drop-down menu. The plugin checks for the number of vulnerabilities with the rule type selected and compares it to the number of allowed vulnerabilities for that rule. This field is not required, but selecting it will narrow your results. You can choose one severity and one rule type per security control.

  5. Choose from the list of Vulnerability Statuses. Statuses aren't required, but can be helpful. For example, select Confirmed and Suspicious to only return vulnerabilities with an open status. Leave this blank if you don't want to filter vulnerabilities by statuses.

    You can add multiple vulnerability security controls, but the plugin will fail the job on the first bad condition. The plugin will set the build result on the first violated vulnerability security control.

Define security controls as a post-build action step

After you have set security controls at the system level in Jenkins, you can also add security controls at a job level for freestyle jobs that are not part of a Jenkins Pipeline. To do this:

  1. When defining a job in Jenkins, find the Post-Build Actions section.

  2. Select a Connection you have previously created, from the drop-down menu.

  3. Choose your application. This field is required.

    • If your application has been instrumented, select your application from the Choose your application drop-down menu.

    • If your application has not yet been instrumented, indicate your application using the Application Name and Application Language fields. You must provide the same application name in Jenkins that you will use when you do instrument your application. Contrast will use that same name and language during the post-build action step after the application has been instrumented.

  4. If the connection is configured to allow the system-level vulnerability security controls to be overridden, you can override that setting by checking the box next to Override Vulnerability Security Controls at the Jenkins system level.

    If you do this, you will also need to indicate the Number of Allowed Vulnerabilities, Vulnerability SeverityVulnerability Type, and Vulnerability Statuses for this job.

  5. Select how you want to query vulnerabilities by selecting an option under Query vulnerabilities by. That way, only those vulnerabilities found from that job will be considered. By default, the plugin uses the first option: appVersionTag, format: applicationId-buildNumber.