icon-zwp.svg
Posture Control (ZPC)

Configuring IaC Scan for Jenkins

This article provides step-by-step instructions for integrating the Zscaler IaC Scan plugin with Jenkins.

The IaC Scan plugin scans and identifies security misconfigurations and policy violations in the IaC Terraform, Kubernetes, Helm, ARM, and CloudFormation templates for both freestyle and pipeline jobs in Jenkins, and displays the scan results within the code.

Prerequisites

The administrator must install and authorize the Zscaler IaC Scan plugin on Jenkins to access the code repositories. Jenkins version 2.319.1 is required for this installation.

Ensure you use the supported operating systems only, otherwise the IaC integration fails.

Download the Zscaler IaC Scan plugin from the Jenkins Marketplace and install it on Jenkins. To learn more about installing plugins, see the Jenkins documentation.

Configuring the Zscaler IaC Scan Plugin for Jenkins

To configure the Zscaler IaC Scan plugin for Jenkins:

  1. After you've installed the plugin from the Jenkins Marketplace, log in to the Zscaler Posture Control (ZPC) Admin Portal.
  2. Go to Administration > Version Control & CI/CD Systems.
  3. On the IaC Integrations page, click Add IaC Integration.

  1. Under General Information:
    1. For IaC Scanner Type, select CI/CD.
    2. For Platform, select Jenkins.

  1. Click Next.
  2. Under Configuration:
    1. Enter the local identifier for your Jenkins server, then click Confirm. Enter a unique name. For example, you can provide the name of your organization, Jenkins job, or a repository.
    2. Copy the Client ID and Client Secret Key that are generated. Make sure to copy and save these values as they are displayed only once. These values are required to establish a connection between the Jenkins server and the ZPC service.
  3. Click Finish.

The Jenkins account is displayed on the Version Control & CI/CD Systems page, but the status of this account is shown as Pending.

    1. Sign in to the Jenkins Web UI.
    2. Go to Manage Jenkins > Configure System.
    3. Under Zscaler IaC plugin Configuration:
      1. Choose Environment: Select the environment (EU or US) where your tenant resides.
      2. Credential: Click Add, then select Jenkins.

    1. In the Add Credentials window, for Domain, select Global Credentials (unrestricted).
    2. For Kind, select Username with password.
    3. For Scope, select Global (Jenkins, nodes, items, all child items, etc.).
    4. For Username, paste in the client ID that you copied in step 6b.
    5. For Password, paste in the client secret key that you copied in step 6b.
    6. For ID, provide a name for the credential.
    7. (Optional) Add a Description for the credential.
    8. Click Add.

    The Credential field under Zscaler IaC plugin Configuration is populated with a value.

    1. Click Validate.

    A message is displayed indicating that the connection between the Jenkins server and the ZPC Admin Portal is established.

    1. Click Save.
    Close

After you complete the configuration, the status changes to Success and the Jenkins URL is displayed for the account.

Configuring a Zscaler IaC Scan Job for Jenkins

You can configure the Zscaler IaC Scan plugin to scan a freestyle job or a pipeline job in Jenkins.

    1. On the Jenkins Dashboard, go to PA Freestyle.
    2. Select Configure from the left-side navigation.
    3. On the Build Triggers tab, under Build Environment:
      1. Select Zscaler IaC Scan.
      2. Make sure that Fail Build is selected. This option is enabled by default and the IaC Scan plugin fails the job if it identifies high severity violations in the IaC template. If you disable this option, the IaC Scan plugin continues to identify security misconfigurations in the template, but it will not fail the job.

    1. Click Save and Apply.

    The IaC Scan plugin triggers a scan whenever a build is submitted for deployment, detects misconfigurations and policy violations, and displays the scan results within the code. It also generates a report with the summary of the scan results for the Jenkins job. To learn more, see Viewing Jenkins Scan Results.

    1. On the Jenkins Dashboard, select Zscaler IaC Scan Results to view the graphical report.
    2. Click Export CSV or Export PDF to export the IaC scan results in the required format.

    The ZPC service generates alerts for the specific IaC policy violations detected during the scan. You can view the alert and policy violation details on the Alerts page. To learn more, see About Alerts.

    Close
    1. Go to the Jenkins Dashboard.
    2. Select the required pipeline project where you want to enable the IaC scanning.
    3. Select Configure from the left-side navigation.
    4. On the Pipeline tab, select Pipeline script from the drop-down menu.
    5. In the Script field, add the following step to enable IaC Scan for pipeline projects. By default, Zscaler IaC scan plugin performs a scan of the entire Jenkins repository. In case you want to scan only a specific file or directory, then provide either the file path or directory path, but not both at the same time.
    stage('Zscaler IaC scan') {
 steps{
  wrap([$class: 'ZscalerScan', failBuild: true, file_path: path of file, dir_path: path of the dir]) {
     }
  }
}

    When you set the failBuild value to 'true', then IaC scan will fail the build if there are policy violations. However, if you set the failBuild value to 'false', then IaC scan will not fail the build even if there are policy violations.

    1. Click Save and Apply.
    Close
Related Articles
Configuring IaC Scan for GitHub ActionsConfiguring IaC Scan for JenkinsViewing IaC Scan Results on the Jenkins UIConfiguring IaC Scan for Azure PipelinesConfiguring IaC Scan for Terraform CloudConfiguring IaC Scan for Other CI/CD Tools