Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiCNAPP Administration Guide

    Legacy Jenkins integration

    Legacy Jenkins integration

    This topic is part of the legacy IaC offering. It will be end of support and deprecated by the end of 2025. See Navigating the Infrastructure-as-Code security pages and Infrastructure-as-Code Security for more information on the active IaC offerings.

    Beta feature CI/CD support for Jenkins is currently in beta for select FortiCNAPP customers. Contact your FortiCNAPP Representative for more information.

    Managing FortiCNAPP API credentials with Jenkins

    There are a variety of ways to manage credentials in Jenkins. For more information, go to the Jenkins Documentation.

    Collecting LW_API_KEY and LW_API_SECRET

    To integrate with Jenkins, you must first collect your LW_API_KEY and LW_API_SECRET.

    To view this information:
    1. Log in to the FortiCNAPP console.
    2. Click Settings > API keys.
    3. Select or create an API key.
    4. Click the download icon.
    5. Open the downloaded .json file to view your API Key and Secret.

    Adding LW_API_KEY and LW_API_SECRET as credentials

    The following set of instructions add and configure global credentials in your Jenkins environment. Before implementing these credentials, check with your Jenkins administrator to verify that this is your organization's method of configuration.

    The following instructions are an example. Follow your organization’s credential management when implementing the procedure.

    You must have Credentials > Create permission in your Jenkins organization. This role is configured by a user with Administer permission.

    Creating new credentials

    To add new credentials:
    1. Log in to Jenkins.
    2. Go to Manage Jenkins.
    3. Click Manage Credentials
    4. Click Jenkins under Stores scoped to Jenkins.
    5. Click Global credentials (unrestricted) under System.
    6. Click Add credentials. Note: this may appear as add some credentials.

    Then, add LW_API_KEY and LW_API_SECRET as “Secret text” credentials. For each credential:

    1. In the Kind dropdown Secret text.
    2. In the Scope dropdown, select Global.
    3. Paste your secret in the Secret field.
    4. In the ID field, enter LW_API_KEY or LW_API_SECRET.
    5. Describe the credential.
    6. Click Create.

    Add Secret Credential in Jenkins

    Adding the credentials to your job configuration

    Once you have added LW_API_KEY and LW_API_SECRET as secret text credentials, you must add them to your job configuration.

    To add the credentials:
    1. Open your Jenkins job configuration.
    2. Go to the Build environment section.
    3. Select Use secret text(s) or file(s).
    4. Under Bindings, click Add.

    For each credential,

    1. In the Variable field, enter the Variable name (for example, LW_API_KEY).
    2. In the Credentials dropdown, select the credential that corresponds with the named variable.
    3. Click Save.

    Add credentials to your Jenkins job configuration

    Using the lacework/codesec-iac image for IaC scanning

    Preparing an env.list file

    The lacework/codesec-iac image runs in Docker, but it relies on a number of environment variables being passed to it by Jenkins. This can be achieved by creating an env.list file in the workspace with the required variables and then having Docker use that for its environment.

    The following script can be used:

    #!/bin/bash
## Provide Lacework credentials
echo "LW_ACCOUNT=AcmeCorporation" > env.list
echo "LW_API_KEY=${LW_API_KEY}" >> env.list
echo "LW_API_SECRET=${LW_API_SECRET}" >> env.list
echo "SCAN_COMMAND=tf-scan" >> env.list
echo "WORKSPACE=src" >> env.list
## Provide Jenkins build details
env | grep '^BRANCH_\|^CHANGE_\|^TAG_\|^BUILD_\|^JOB_\|^JENKINS_\|^GIT_' >> env.list

    The #!/bin/bash declaration at the top of the script verifies that the commands are interpreted as bash. Don't leave it out!

    Invoking Docker

    Your can then invoke Docker in your Jenkins job with usage such as:

    docker run --env-file env.list -v "$(pwd):/app/src" lacework/codesec-iac:stable

    Defining an unstable result

    To have your job reach an “unstable” result, you can add an entry for EXIT_FLAG that defines your threshold for IaC violations in the env.list file.

    For example, to make a count of 2 violations of at least High severity be flagged as a problem, set the variable as:

    echo "EXIT_FLAG=High=2" >> env.list

    Then in your job configuration, define an exit code of 2 to indicate instability. Add an exit code for the build to indicate instability

    Available commands

    For available commands, refer to Integrate with a CI/CD pipeline.

    Previous
    Next

    Legacy Jenkins integration

    Legacy Jenkins integration

    This topic is part of the legacy IaC offering. It will be end of support and deprecated by the end of 2025. See Navigating the Infrastructure-as-Code security pages and Infrastructure-as-Code Security for more information on the active IaC offerings.

    Beta feature CI/CD support for Jenkins is currently in beta for select FortiCNAPP customers. Contact your FortiCNAPP Representative for more information.

    Managing FortiCNAPP API credentials with Jenkins

    There are a variety of ways to manage credentials in Jenkins. For more information, go to the Jenkins Documentation.

    Collecting LW_API_KEY and LW_API_SECRET

    To integrate with Jenkins, you must first collect your LW_API_KEY and LW_API_SECRET.

    To view this information:
    1. Log in to the FortiCNAPP console.
    2. Click Settings > API keys.
    3. Select or create an API key.
    4. Click the download icon.
    5. Open the downloaded .json file to view your API Key and Secret.

    Adding LW_API_KEY and LW_API_SECRET as credentials

    The following set of instructions add and configure global credentials in your Jenkins environment. Before implementing these credentials, check with your Jenkins administrator to verify that this is your organization's method of configuration.

    The following instructions are an example. Follow your organization’s credential management when implementing the procedure.

    You must have Credentials > Create permission in your Jenkins organization. This role is configured by a user with Administer permission.

    Creating new credentials

    To add new credentials:
    1. Log in to Jenkins.
    2. Go to Manage Jenkins.
    3. Click Manage Credentials
    4. Click Jenkins under Stores scoped to Jenkins.
    5. Click Global credentials (unrestricted) under System.
    6. Click Add credentials. Note: this may appear as add some credentials.

    Then, add LW_API_KEY and LW_API_SECRET as “Secret text” credentials. For each credential:

    1. In the Kind dropdown Secret text.
    2. In the Scope dropdown, select Global.
    3. Paste your secret in the Secret field.
    4. In the ID field, enter LW_API_KEY or LW_API_SECRET.
    5. Describe the credential.
    6. Click Create.

    Add Secret Credential in Jenkins

    Adding the credentials to your job configuration

    Once you have added LW_API_KEY and LW_API_SECRET as secret text credentials, you must add them to your job configuration.

    To add the credentials:
    1. Open your Jenkins job configuration.
    2. Go to the Build environment section.
    3. Select Use secret text(s) or file(s).
    4. Under Bindings, click Add.

    For each credential,

    1. In the Variable field, enter the Variable name (for example, LW_API_KEY).
    2. In the Credentials dropdown, select the credential that corresponds with the named variable.
    3. Click Save.

    Add credentials to your Jenkins job configuration

    Using the lacework/codesec-iac image for IaC scanning

    Preparing an env.list file

    The lacework/codesec-iac image runs in Docker, but it relies on a number of environment variables being passed to it by Jenkins. This can be achieved by creating an env.list file in the workspace with the required variables and then having Docker use that for its environment.

    The following script can be used:

    #!/bin/bash
## Provide Lacework credentials
echo "LW_ACCOUNT=AcmeCorporation" > env.list
echo "LW_API_KEY=${LW_API_KEY}" >> env.list
echo "LW_API_SECRET=${LW_API_SECRET}" >> env.list
echo "SCAN_COMMAND=tf-scan" >> env.list
echo "WORKSPACE=src" >> env.list
## Provide Jenkins build details
env | grep '^BRANCH_\|^CHANGE_\|^TAG_\|^BUILD_\|^JOB_\|^JENKINS_\|^GIT_' >> env.list

    The #!/bin/bash declaration at the top of the script verifies that the commands are interpreted as bash. Don't leave it out!

    Invoking Docker

    Your can then invoke Docker in your Jenkins job with usage such as:

    docker run --env-file env.list -v "$(pwd):/app/src" lacework/codesec-iac:stable

    Defining an unstable result

    To have your job reach an “unstable” result, you can add an entry for EXIT_FLAG that defines your threshold for IaC violations in the env.list file.

    For example, to make a count of 2 violations of at least High severity be flagged as a problem, set the variable as:

    echo "EXIT_FLAG=High=2" >> env.list

    Then in your job configuration, define an exit code of 2 to indicate instability. Add an exit code for the build to indicate instability

    Available commands

    For available commands, refer to Integrate with a CI/CD pipeline.

    Previous
    Next