Overview

Integrating Bridgecrew with Jenkins makes it possible for Bridgecrew to scan your Infrastructure-as-code files, display Incidents on the Console and, optionally, cause a build to fail.

Jenkins is an extremely powerful and customizable tool. There are many ways to integrate Jenkins with a code repository to trigger builds. This page gives examples, but it is very likely that you will need to adapt these examples to your environment.

How to Integrate

  1. From the Integrations Catalog, under CI/CD, select Jenkins.
1582
  1. Enter a name for your token and add a description (Optional), then select Create. Tokens are specific per user and enforce the role and permission assigned to that user within the organization.
1692
  1. Save the API Token, then select Next. (The Token will not be available later.)
1691
  1. Copy the URL of the Repository to be scanned, then select Next.
1693
  1. To configure your subscription, you need to copy the pipeline step shown and paste it into your Jenkins Pipeline, then select Done.
    Note: this example hardcodes your Bridgecrew API token. We recommend configuring this value in a Jenkins credential.
    Note: after the next Jenkins scan, the scanned repository will appear in the Integrations grid; for further details, see here.
1695

Environment variables

Adding environment context variables allows you to enrich Bridgecrew's code reviews in the platform with additional metadata. You do not need to specify any of these values for the integration to work; these are optional. Depending on your environment, you may be able to pull these from other environment variables. Or, you can set them manually, as in the example below.

  • BC_FROM_BRANCH
  • BC_TO_BRANCH
  • BC_PR_ID
  • BC_PR_URL
  • BC_COMMIT_HASH
  • BC_COMMIT_URL
  • BC_AUTHOR_NAME
  • BC_AUTHOR_URL
  • BC_RUN_ID
  • BC_RUN_URL
  • BC_REPOSITORY_URL

Bridgecrew API key

We strongly recommend that you utilize Jenkins's credential store for your Bridgecrew API key.

Example

This example assumes you have credentials stored in Jenkins.

pipeline {
    agent any
    
    stages {
        stage('Checkout') {
          steps {
              git branch: 'main', url: 'https://github.com/bridgecrewio/terragoat.git'
              stash includes: '**/*', name: 'source'
          }
        }
        stage('Checkov') {
            steps {
                withCredentials([string(credentialsId: 'BC_API_KEY', variable: 'bc_api_key')]) {
                    script {
                        docker.image('bridgecrew/checkov:latest').inside("--entrypoint=''") {
                          unstash 'source'
                          try {
                              sh 'checkov -d . --use-enforcement-rules -o cli -o junitxml --output-file-path console,results.xml --bc-api-key ${bc_api_key} --repo-id  bridgecrewio/terragoat --branch main'
                              junit skipPublishingChecks: true, testResults: 'results.xml'
                          } catch (err) {
                              junit skipPublishingChecks: true, testResults: 'results.xml'
                              throw err
                          }
                        }
                    }
                }
            }
        }
    }
    options {
        preserveStashes()
        timestamps()
    }
}