Welcome to our presentation on Building Secure Images Using Prisma Jenkins Plugin. This topic comes under Shift Left, which is the best practice to create Secure Images. This document is restricted to Continuous Integration. You can even parse the IAC templates using the Application Security Module of Prisma Cloud. However that topic is beyond the scope of this Article.
We'll explore the fundamentals of Continuous Integration, CI tool Jenkins and its Integration with Prisma Cloud and GitHub, and at last we will discuss creating a Docker Image using Jenkins Pipeline leveraging Prisma Plugin for Jenkins. We will define the CI rules/Quality Gates in Prisma Compute, which will govern the Result of CI.
Continuous Integration (CI) is a software development practice where developers frequently merge their code changes into a shared repository, usually multiple times a day. Each integration is automatically verified by building the project and running tests to detect errors early. This helps in identifying and fixing bugs faster, improving software quality, and reducing integration issues.
A CI pipeline typically includes steps like code compilation, automated testing, static code analysis, and artifact generation. Tools like Jenkins, GitHub Actions, GitLab CI/CD, and CircleCI facilitate CI implementation.
We will focus on Jenkins as it is among the most popular tools and Prisma Compute Provides a native Plugin for Jenkins, However Prisma Cloud can be Integrated with any CI tool or Automation Framework since it provides a cli utility called as twiscli.
Jenkins Plugin also uses twistcli underneath.
Key benefits of CI include:
CI is often used alongside Continuous Deployment (CD), where tested code is automatically deployed to production. Together, they enable faster, more reliable software delivery. Companies adopting CI/CD improve efficiency, reduce manual work, and enhance customer satisfaction through rapid feature releases.
Jenkins is an open-source automation server used for Continuous Integration (CI) and Continuous Deployment (CD). It helps automate building, testing, and deploying applications, ensuring faster and more reliable software delivery. Written in Java, Jenkins supports numerous plugins for integrating with various tools like Git, Docker, and Kubernetes.
It allows developers to set up CI/CD pipelines using a simple web interface or declarative pipelines in code. Jenkins runs on multiple platforms and can be extended with plugins for customized workflows. Its benefits include improved efficiency, early bug detection, and streamlined software development, making it a popular choice for DevOps teams.
Docker is an open-source platform that enables developers to build, package, and run applications in lightweight, portable containers. These containers include everything needed to run the application—code, libraries, dependencies—ensuring consistency across different environments. Docker helps streamline development, testing, and deployment, reducing compatibility issues and simplifying DevOps workflows.
A Docker Image is a lightweight, standalone, and executable package that contains the application code, runtime, dependencies, and configurations. Images serve as blueprints for containers, and multiple containers can be created from the same image. Images are stored in repositories like Docker Hub and can be versioned for easy updates and rollbacks.
GitHub can be integrated with Jenkins for Continuous Integration (CI) to automate building, testing, and deploying applications. Using webhooks, Jenkins can be triggered whenever code is pushed to a GitHub repository. The GitHub plugin in Jenkins allows seamless integration, enabling developers to fetch code, run tests, and generate artifacts automatically.
A typical Jenkins pipeline pulls the latest code from GitHub, runs CI steps (build, test, analyze), and provides feedback. This setup helps detect bugs early, ensures code quality, and speeds up development. Jenkins can also deploy successful builds, making it a powerful tool for GitHub-based CI/CD workflows.
The Prisma Cloud Compute plugin for Jenkins integrates Palo Alto Networks' security capabilities into Jenkins CI/CD pipelines. This plugin enables automated security scanning of container images and serverless functions during the build process, identifying vulnerabilities, compliance issues, and malware before deployment.
By incorporating these security checks early in the development cycle, teams can proactively address potential risks, ensuring that only secure and compliant artifacts progress through the pipeline. The plugin supports both freestyle and pipeline jobs, offering flexibility in how security scans are configured and executed within Jenkins. Integrating Prisma Cloud Compute with Jenkins enhances the security posture of applications by embedding continuous security assessments into the CI/CD workflow.
Figure01:CI_Pipeline_Prisma_Cloud _PaloAltoNetworks
The above diagram depicts a CI Job, in which a user commits a Dockerfile to the GitHub Repo, which triggers a Jenkins BuildJob as it is invoked by the Webhook. Jenkins Job Builds a new Image, and the power of Prisma Compute comes in, which scans the Images against the CI Rules defined in Prisma Cloud. If the Build meets the criteria wrt to vulnerabilities and compliance, then Build job continues, or else it is marked as Failed.
Download Plugin from Prisma Compute Console. (Manage ⇒ System ⇒ Utilities)
Figure02:Prisma_Jenkins_Plugin_Cloud _PaloAltoNetworks
Open Jenkins Console, Click Manage Jenkins, Plugins, Advanced Settings. Upload the Plugin to Jenkins and click on Deploy.
Figure03:Prisma_Jenkins_Plugin_Cloud_Install _PaloAltoNetworks
You will see the success message.
Open Jenkins Console, Clock Manage Jenkins, Locate Prisma Cloud Section. Enter the values for Address, User and Password from your setup, then click on the Test Button, you will see a success message. Refer to the below screenshot:
Figure04:Configure_Prisma_Jenkins_Plugin_Cloud_PaloAltoNetworks
Click on Repo Settings ⇒ Webhooks and then Add Webhook.
Figure05:Configure_GitHub_Repo_WebHook_PaloAltoNetworks
CI Rules can be created under Defend ⇒ Vulnerabilities and Defend ⇒ Compliance Sections.
In the below screenshot for vulnerabilities, we are defining the pipeline to fail in case the Image has any vulnerability (low,moderate, high,critical). You can customize the rule to meet your Project needs. You have the possibility to add exception CVE’s within the Rule. Refer Prisma Compute Admin Guide for more details about this.
Figure06:Prisma_CI_Vulnerability_Rule_PaloAltoNetworks
For Simplicity we are creating a freestyle project, feel free to create a pipeline as well.
You may need to add credentials in case your Repo is not Public.
Figure07:Pull_GitHub_Repo_PaloAltoNetworks
As Repo contains the Dockerfile, run
docker build -t image_name:tage_name .
The Image name must match the criteria which is defined in the Prisma Rule Collection.
Specify the Image Name, which you used in the previous step.
Figure08: Scan_Image_Prisma_PaloAltoNetworks
Use the Docker Plugin or docker push command to publish the Image to DockerHub.
You can validate the Build Status in Jenkins Console as well as Prisma Console.
In Prisma, you can validate by clicking on Monitor ⇒ Vulnerabilities ⇒ CI Tab, Locate your Image, you would be able to see your Jenkins Job Name, Job Number as well.
Figure09: Scan_Results_Prisma_PaloAltoNetworks
Shift Left : Prisma Jenkins Plugin provides early feedback to the developers to fix the Vulnerability and Compliance issues. It ensures that only Images which meet the defined Standards are moved to the Production Environment. It significantly reduces the associated Risk and Attack Surface
