CloudBees Integration

Introduction

CloudBees is a Jenkins-based platform built to manage and run continuous integration and delivery pipelines. It lets you automate builds, tests, and deployments securely and at scale, centralizing pipeline execution in a controlled and easy-to-manage environment.

Requirements

As CloudBees is not an SCM and can not host source code, an Cloud SCM is needed. At this time, the supported SCMs are Github, Gitlab and Bitbucket.

The SCM is needed for executing pipelines on CloudBees but the Xygeni integration of those SCMs is not necessary to follow this guide.

1. Gather and new API Token and configure it as Secret

The following configuration examples show how to install & run the scanner using an API Token stored as a secret named XYGENI_TOKEN. See Generate Xygeni API Token for Scanner or ask your Xygeni administrator to generate it.

Go to the left panel > Configurations > Properties and click on Create Propertie

A new panel will open, use XYGENI_TOKEN as name, String as Data type and write your token on the Value field. Also do not forget to select the Secret checkbox for secure the token.

This is the expected result:

2. Integrate and SCM

Move to the Integrations tab and click on "Create Integration".

Click on Source code Management and follow the instructions depending on the SMC you want to integrate.

3. Create a component

In Cloudbees components are like proyects on Xygeni or repositories in the SCM.

Move to Components, create component to create one

This will show a list with all the connected repositories, select at least one to continue.

A new component will be created. Click on that component.

4. Create and run a new workflow

Move to Workflows and press Create Standard Workflow. This will create a new workflow.

This workflows are based on yaml files and use the more or less the same lenguage as Github Actions. But, external actions (as the one of xygeni) can not be used. This means that all the xygeni scanner download and executing workflow must be done by hand.

You can use the following pipeline as template and modify the xygeni scan command as you need it:

apiVersion: automation.cloudbees.io/v1alpha1
kind: workflow
name: xygeni-scan

on:
  workflow_dispatch: {}

jobs:
  xygeni-scan:
    steps:
      - name: Checkout
        uses: cloudbees-io/checkout@v1
        with:
          fetch-depth: 0

      - name: Download + unzip Xygeni Scanner + Run
        uses: docker://maven:3.9.9-eclipse-temurin-17
        env:
          XYGENI_URL: "https://api.xygeni.io"
          XYGENI_TOKEN: ${{ secrets.XYGENI_TOKEN }}
        run: |
          set -euo pipefail

          echo "== Verify required tools =="
          command -v mvn >/dev/null 2>&1 || (echo "mvn not found" && exit 1)

          # Ensure curl + unzip exist
          if ! command -v curl >/dev/null 2>&1 || ! command -v unzip >/dev/null 2>&1; then
            apt-get update
            apt-get install -y curl unzip ca-certificates
          fi

          echo "== Download scanner zip =="
          curl -sSL -o xygeni-release.zip https://get.xygeni.io/latest/scanner/xygeni-release.zip

          echo "== Unzip =="
          rm -rf xygeni_scanner
          unzip -q xygeni-release.zip

          chmod +x ./xygeni_scanner/xygeni

          ./xygeni_scanner/xygeni \
            --url "${XYGENI_URL}" \
            scan --never-fail -n "${CLOUDBEES_REPO:-repo}" -d .

Use --never-fail to avoid breaking the build if the scan finds issues or fails. You may also use --fail_on=critical to terminate the build only when critical issues are found.

Use --run=secrets,iac if you want to scan only for secrets and IaC flaws, for example.

Press commit to save the changes and press Run to launch the workflow.

A new Run will be shown on the Run Summary list.

PreviousGitea Actions Integration NextGit Hooks with Xygeni

Last updated 7 hours ago