Tutorial: Incorporate IaC Security in your CI/CD pipeline with Bridgecrew, Jenkins, and GitHub

Jenkins is the most popular open-source continuous integration/continuous delivery (CI/CD) automation tool in the world today. In short, Jenkins manages and controls software delivery processes throughout the entire lifecycle, including build, document, test, package, stage, deployment, static code analysis, and much more.

Adding security into your CI/CD creates a feedback loop and guardrails to ensure only secure code is committed to a repository and deployed. At the build stage, a security check like Bridgecrew’s integration will tell you what misconfigurations are in your code. Adding a soft or hard fail will block code from being integrated or deployed.

In this tutorial, we’ll be integrating Bridgecrew with GitHub and Jenkins. Every new pull request will fire off a Jenkins pipeline run and a code review by Bridgecrew.

Prerequisites for the workshop

Before we get started, make sure you have the following prerequisites. To get the most out of this tutorial, it will also be helpful to have a basic understanding of IaC, git, CI/CD principles, and Jenkins core concepts (e.g., pipeline as code).

A running Jenkins instance with Docker installed

Jenkins can either be run as a stand-alone process or as a container. Make sure you have Java installed and Docker Engine installed. Then install and start Jenkins for your operating system.

Then, we need to grant the Jenkins user access to Docker Engine. For Ubuntu that will look like this:

sudo usermod -aG docker jenkins
Restart Jenkins - sudo /etc/init.d/jenkins restart

If you’re running this on a remote server, such as in the cloud, make sure to open port 8080.

Now, browse to localhost:8080 or <serverurl>:8080 and follow the instructions to complete the installation. In terms of plugins, feel free to use the defaults.


You will also need Github for this exercise. If you don’t have one already, create a Github account here.


Lastly, you’ll need access to Bridgecrew. It takes just a couple of minutes to sign up for a free Bridgecrew account using your email and password or with Google or GitHub auth.

All set? Let’s get started!

Step 1: Fork TerraGoat

This workshop uses our vulnerable-by-design Terraform project, TerraGoat, so that you can scan and automate IaC without the added friction of integrating your own code.

To set up your demo environment, you’ll want to fork the TerraGoat repository. Head over to the TerraGoat repository and fork it using the button in the upper right corner.

screenshot of terragoat

Step 2: Add Bridgecrew GitHub integration

To automatically scan your repositories, you will need to integrate with GitHub.

Note: you will need write or admin permissions to a repository to integrate Bridgecrew.

Go to the Integrations tab, select GitHub, and Authorize Bridgecrew. This will allow you to integrate with GitHub and the GitHub Marketplace.

screenshot of bridgecrew authorize

Once integrated, you’ll be able to select which repositories to scan with Bridgecrew. Select your TerraGoat repo.

Step 3: Set up Jenkins

To set up Jenkins for this workshop, you will want to install the Docker Pipeline as a plugin. Jenkins provides a couple of different methods for installing plugins on the master. You can do so using the Plugin Manager in the web UI, or you can use the Jenkins CLI install-plugin command.

According to Jenkins, the simplest and most common way of installing plugins is through the web UI using the Manage Jenkins > Manage Plugins view, available to administrators of a Jenkins environment.

From the UI, select Manage Jenkins and then Manage Plugins. Then, check Docker Pipeline. Most plugins can be installed and used immediately by checking the box adjacent to the plugin and clicking Install without restart.

screenshot of jenkins

Step 4: Add Bridgecrew Jenkins integration

Now, it’s time to integrate Bridgecrew and Jenkins. Back in your Integrations tab, find the Continuous Integration section on the left side, select Jenkins, and then Add Subscription.

screenshot of bridgecrew jenkins

From there, type in your repository URL. This is where you will add your fork of TerraGoat.

Next, copy the pipeline step shown and paste it into your Jenkins Pipeline.

screenshot of jenkins pipeline

Head to Jenkins and select New Item. Label the new item bridgecrew-pipeline, select Pipeline, and then OK. Scroll to the bottom and add the pipeline code you copied from Bridgecrew.

You will need to add two more lines to output the results in Jenkins:

sh "pipenv run bridgecrew --directory .  -o junitxml > result.xml || 
junit "result.xml"

Let’s make the pipeline a little more secure by hiding the Bridgecrew API key. Delete your API key (the string that follows –bc-api-key) and replace it with $BC_API_KEY:

environment {
  BC_API_KEY = credentials('bc-api-key')

screenshot of pipeline

In the dashboard, select Manage Jenkins -> Manage Credentials -> global -> Add Credentials. Fill out the credentials as follows:

  • Type: Secret Text
  • Secret: API Key
  • ID: bc-api-key

screenshot of jenkins

Step 5: Add a GitHub webhook trigger

Next, let’s add a webhook to fire off our Jenkins pipeline when code is pushed to GitHub. To add a GitHub webhook trigger, you will need the GitHub plugin (which comes pre-installed if you selected the default plugins). Note: if you are behind a firewall, allowlist the “hooks” IPs from https://api.github.com/meta for TCP ports 22, 80, 443, and 9418.

Now, go back to the bridgecrew-pipeline and select Configure. Under Build Triggers select GitHub hook trigger for GITScm polling and then click Save.

From there, select GitHub -> TerraGoat repo fork -> Settings -> Webhooks and select Add webhook. Add <your-Jenkins-url>:<port>/github-webhook/ and change Content type to application/json. Now choose Let me select individual events and select Pull Requests and Pushes.

Jenkins doesn’t pick up the trigger until it’s pre-warmed, so we need to do a first run. At the bottom, select Add webhook. Now go back to Jenkins -> the Dashboard -> bridgecrew-pipeline -> Build Now. This action pre-warms the pipeline.

screenshot of terragoat webhook

Step 6: Pull request scanning

Now, we are ready to trigger pull request Comments. In GitHub, go to the ec2.tf file in your TerraGoat repository and select Edit this file. For demonstration purposes, you can artificially trigger a pull request by adding a space inside every resource.

screenshot of github

From here, select Create a new branch for this commit and start a pull request. Click Propose changes -> Create pull request.

Now, take a look at the PR Comments, find a suggestion, and click Commit suggestion -> Commit changes. Scroll to the bottom and select Merge pull request -> Confirm merge and Delete branch.

Step 7: Make a fix

There are a few ways you can leverage Bridgecrew’s recommended fixes, including straight from the PR comments or from the Bridgecrew platform. The Bridgecrew platform provides a centralized view for tracking misconfigurations across your code scans. In this step, we’ll create a remediation pull request for one of the issues that make it into our repository and in production.

In the Projects tab, you can view the results of your GitHub scan, as well as any other code scan that includes a repository ID and your Bridgecrew API.

First, select the TerraGoat repo in the dropdown. Choose one of the policy violations, and then select Fix -> Submit.

gif of terragoat output in bridgecrew

This will open up a pull request with the fix in GitHub.

pull request in github

Merging the pull request will fix the misconfiguration in the IaC file.

Step 8: See the results in Jenkins

It may feel redundant to scan for misconfigurations in your repo and in your CI/CD pipeline, but the idea is to have multiple checks throughout the DevOps process to increase the chance of security issues getting caught and fixed.

To see the results of your Bridgecrew scan, head back over to Jenkins and view the latest run (or manually trigger if you didn’t add the webhook). You’ll notice the number of errors has gone down. Great job!

screenshot of jenkins bridgecrew

This workshop showed off just two of our many integrations. If you want to shift your cloud security even more left, check out our integration with VS Code and embed security across the DevOps lifecycle and add one of our runtime integrations with AWS, Azure, or GCP.