{jenkins-plugin-info:pluginId=contrast-continuous-application-security}

About

This plugin verifies vulnerability conditions by checking a build's vulnerabilities found against configured filters. The plugin also graphs history of vulnerability detection found during each projects build.

This plugin supports a post build action and a step in the pipeline build process.

Use the Plugin

You can view the plugin code in Jenkins' Github repository. In the Jenkins dashboard, go to Manage Jenkins in the left sidebar, and select the Configure System page to find a new Contrast TeamServer profiles section.

Contrast API Settings

Contrast API settings enable the plugin to connect to Contrast and query for results. The plugin leverages these result to authenticate to Contrast and make API calls in post-build actions. Among the following requirements, you'll need a unique profile name to identify your configuration and use it in a specific job.

Parameter

DescriptionSince
Contrast UsernameUsername/email for your account in Contrast
Contrast API KeyLog in to your Teamserver account and go to Your Account. Look under YOUR KEYS.
Contrast Service KeyLog in to your Teamserver account and go to Your Account. Look under YOUR KEYS.

Contrast URL

API URL to your Contrast instance
Use https://app.contrastsecurity.com/Contrast/api if you're a SaaS customer; all others use the URL of your Contrast UI (e.g., https://contrastserver/Contrast/api).

Organization UUIDOrganization UUID of the configured user found in Organization Settings
ignoreContrastFindingsJenkins boolean build parameter. If set to true, builds will not be failed when Vulnerability Threshold Conditions are not met.2.3
Result of a vulnerable buildContrast TeamServer profile configuration parameter allowing to choose the result of a build that does not meet the Vulnerability Threshold Conditions.2.3
Fail build if application is not found on TeamServerThis option allows to fail a build if the application is not found in the Contrast application.2.4
Allow global Contrast Vulnerability Threshold Conditions to be overridden in a Job configurationChoose if global threshold conditions can be overridden in post-build actions. (See the Global threshold conditions section for more details.)2.5




Test the connection

When you add a Contrast profile, use the validation button to test your connection and make sure that all the fields are accurate. Contrast prompts you if the test is successful or gives an error message if it fails.

Global threshold conditions

Once a connection is made, complete the following fields for Contrast Vulnerability Threshold Conditions.

You can add as many rules as you like. The plugin fails on the first bad condition and tells you on which condition it failed.

Note: Even if your build succeeds, the plugin fails the overall build if the test finds a bad condition.


Threshold conditions in a post-build action

Complete the following fields for Post-Build Actions.

Threshold conditions in a Pipeline step

When you add a Pipeline step with the name contrastVerification, it follows the same principles as the post-build action but in a newer format for Jenkins 2.0 improvements.

Pipeline configuration:

contrastVerification applicationId: '1e6ad9c6-89d4-4f06-bdf6-92c569ec89de', count: 1, profile: 'new-profile', queryBy: 3, rule: 'cache-controls-missing', severity: 'High'

Test for Vulnerabilities

For the Jenkins plugin to get accurate information, you must add a unique identifier built from the Jenkins CI configuration as an agent property. The corresponding property for the Java agent is contrast.override.appversion. For example, when starting Contrast agent add the following property: "-Dcontrast.appname=${applicationName}".

The plugin can use either the unique identifier appVersionTag or the startDate to filter vulnerabilities and check conditions. You can change the format used by the plugin to create appVersionTag or set the plugin to use startDate using queryBy pipeline parameter. Three options are available:

Both JOB_NAME and BUILD_NUMBER are available as Jenkins environment properties.