Jenkins
This guide walks you through setting up Endura pipeline security for Jenkins. You will learn how to install the Runtime Sensor on Jenkins controller and agent hosts, configure the Jenkins integration for automatic pipeline discovery, instrument your Jenkins pipelines to use the Sensor, and apply security policies to your pipelines.
Prerequisites
Before proceeding, ensure you have:
- Team Server installed and running with valid credentials for accessing the web interface. If you have not deployed Team Server yet, see the Team Server documentation for deployment options.
- Administrative access to your Jenkins instance for creating API tokens and configuring pipelines.
- Root or sudo access to the Jenkins controller and agent hosts (for installing the Runtime Sensor).
Configure the Jenkins Integration
The Jenkins integration enables Team Server to discover and ingest your Jenkins jobs as pipelines. This section covers creating a Jenkins API token and configuring the integration in Team Server.
Create a Jenkins API Token
Jenkins API tokens, paired with a username, allow Team Server to authenticate with the Jenkins API to discover jobs and builds.
Use a Dedicated Service Account
For production deployments, create a dedicated service account in Jenkins specifically for the Team Server integration rather than using a personal administrator account. This service account should have:
- Read-only access (Overall/Read and Job/Read) to the jobs you want to monitor
- No write permissions (Team Server only queries the API; it does not modify Jenkins resources)
- A clear naming convention (e.g.,
svc-endura-teamserver)
Using a service account improves security, simplifies auditing, and ensures the integration continues working when individual team members leave the organization.
Setup Instructions:
- Log in to Jenkins as the account that will own the integration token
- Click your username in the top-right corner, then click Configure (or go to Manage Jenkins > Users > select the user > Configure)
- In the API Token section, click Add new Token
- Enter a descriptive name (e.g., “Endura Team Server”) and click Generate
- Copy the token value immediately; it will not be shown again
- Note the username associated with this account; you will need both the username and token for the integration
Store the Token Securely
The token value is displayed only once upon creation. Copy it immediately and store it in a secure location such as a password manager or secrets vault. If you lose the token, you will need to create a new one.
Add the Integration in Team Server
With the Jenkins username and API token ready, configure the integration in Team Server.
Setup Instructions:
- Log in to Team Server
- Click Integrations in the main navigation menu
- Click Jenkins under the Discover sub-navigation menu
- Click Get Started (if no Jenkins integration exists) or Create (if you already have one or more Jenkins integrations configured)
- Configure the integration:
- URL: Enter the base URL of your Jenkins instance (e.g.,
https://jenkins.example.com) - Username: Enter the username of the account that owns the API token
- Token: Paste the API token you created in Jenkins
- URL: Enter the base URL of your Jenkins instance (e.g.,
- Click Test to verify the connection to your Jenkins instance
- If the test succeeds, click Save to create the integration
Username and Token
Unlike token-only integrations, Jenkins authenticates with HTTP basic authentication, which requires both the username and the API token. Make sure the username matches the account for which the token was generated.
Troubleshooting Connection Issues
If the connection test fails, check the following:
- Verify the Jenkins URL is correct and accessible from the Team Server host
- Confirm the username and API token are correct and the token has not been revoked
- Confirm the account has read access to the jobs you want to monitor
- Check for any network restrictions or firewalls between Team Server and Jenkins
- Review error messages displayed as toast notifications
- Examine the Application Logs under Administration in the main navigation for detailed error information
Once the integration is created, Team Server immediately begins discovering and ingesting all Jenkins jobs as pipelines. View the discovered pipelines by clicking Pipelines in the main navigation menu.
Multiple Jenkins Instances
If your organization operates multiple Jenkins controllers (e.g., separate instances for different teams, environments, or regions), create a separate integration for each controller. Repeat the API token creation and integration setup process for each Jenkins instance. All discovered pipelines from all instances will appear in the unified Pipelines view in Team Server.
Enable Scheduled Discovery
The initial integration setup performs a one-time discovery of Jenkins jobs. To automatically discover new jobs and builds on an ongoing basis, configure the scheduled discovery jobs in your Team Server configuration.
Add the discover_jenkins_pipelines and discover_jenkins_builds jobs to the scheduler section of your Team Server configuration file (config/production.yaml):
scheduler:
jobs:
discover_jenkins_pipelines:
run: "discover_jenkins_pipelines"
schedule: "0 0 * * * * *"
discover_jenkins_builds:
run: "discover_jenkins_builds"
schedule: "0 */15 * * * * *"The schedule field uses a 7-field cron format: second minute hour day month day-of-week year. The examples above run pipeline discovery every hour and build discovery every 15 minutes.
A complete scheduler configuration including the Jenkins discovery jobs alongside the required Team Server jobs:
scheduler:
output: stdout
jobs:
discover_jenkins_pipelines:
run: "discover_jenkins_pipelines"
schedule: "0 0 * * * * *"
discover_jenkins_builds:
run: "discover_jenkins_builds"
schedule: "0 */15 * * * * *"
calculate_statistics:
run: "calculate_statistics"
schedule: "0 0 5 * * * *"
update_status:
run: "update_status"
schedule: "0 */5 * * * * *"| Job | Purpose |
|---|---|
discover_jenkins_pipelines | Discovers new Jenkins jobs and ingests them as pipelines |
discover_jenkins_builds | Discovers new builds from configured Jenkins integrations |
calculate_statistics | Computes security metrics for dashboards (required) |
update_status | Refreshes status for monitored resources (required) |
After updating the configuration, restart Team Server for the changes to take effect. For restart procedures specific to your deployment method, see:
For additional configuration details, see the Team Server Configuration Guide.
Install the Runtime Sensor
The Runtime Sensor must be installed on the same hosts where your Jenkins builds run. The Sensor monitors build execution and enforces security policies at runtime.
Installation Overview
Install the Runtime Sensor on every host that executes build work: the Jenkins controller (if it runs builds) and all agents:
- Identify the Jenkins controller and all agent hosts that execute the jobs you want to monitor
- Install the appropriate Runtime Sensor package for each host’s Linux distribution
- Configure the Sensor to communicate with Team Server
For detailed installation instructions specific to your Linux distribution, see the Runtime Sensor documentation.
Protect Sensor Credentials
Each host stores its ENDURA_LICENSE_KEY and ENDURA_SENSOR_TOKEN in the Sensor’s environment file (/opt/endura/sensor/environ), configured during installation. Restrict this file to the Sensor’s service account, keep it out of source control, and distribute it through your secrets management or configuration management tooling rather than as plaintext in build configuration. For the complete list of environment variables the Sensor supports, see the Runtime Sensor Configuration reference.
Sensor Deployment Best Practices
- Install the Sensor on all agent hosts (and the controller if it runs builds) to ensure consistent policy enforcement across your build infrastructure
- Use configuration management tools (Ansible, Puppet, Chef) for deploying the Sensor at scale
- Verify network connectivity from each host to Team Server on port 443
Agents and Labels
Jenkins distributes build work across agents (also called nodes), and uses labels to control which agents run which jobs. When deploying the Runtime Sensor:
- Identify the agents (and their labels) that run jobs you want to monitor
- Install the Sensor on every agent host that executes those builds
- Ensure your pipelines target labeled agents that have the Sensor installed (using
agent { label '...' }in your Jenkinsfile)
For dynamic or cloud-provisioned agents (e.g., Kubernetes, EC2, or Docker agents), bake Sensor installation into the agent image or provisioning configuration so new agents automatically receive the Sensor.
Configure Jenkins Pipelines
With the integration configured and the Runtime Sensor installed, you need to instrument your Jenkins pipelines to communicate with the Sensor. The recommended approach uses a declarative Jenkinsfile with a dedicated start stage and a post block that always stops the Endura job.
Instrument a Declarative Pipeline
Add a stage that starts the Endura job before your build stages and a post { always { ... } } block that stops it afterward, even if a preceding stage fails.
The following example shows a Jenkinsfile instrumented for Endura:
pipeline {
agent { label 'endura' } // target an agent with the Sensor installed
environment {
BUILD_BRANCH = "${env.BRANCH_NAME}"
}
stages {
stage('Start Endura Job') {
steps {
sh 'endura job start'
}
}
// ... your existing build stages ...
stage('Build') {
steps {
sh 'make build'
}
}
}
post {
always {
sh 'endura job stop'
}
}
}Key points:
- The
agentdirective must target an agent (by label) that has the Sensor installed. - The
environmentblock maps the branch name intoBUILD_BRANCH. For multibranch pipelines,env.BRANCH_NAMEholds the branch; for other jobs, useenv.GIT_BRANCH. - The Start Endura Job stage must be the first stage.
- The
post { always { ... } }block runsendura job stopafter the pipeline finishes, whether it succeeds or fails.
Trigger Metadata Is Captured Automatically
Team Server determines the triggering user and trigger reason for Jenkins builds from the build’s causes via the Jenkins API, so BUILD_TRIGGER_REASON and BUILD_TRIGGERED_BY are not required in the Jenkinsfile. Mapping BUILD_BRANCH enriches the branch metadata, which Jenkins does not otherwise expose to Team Server.
Always Run the Stop Step
The post { always { ... } } block is critical. It ensures the Sensor receives the stop signal even when build stages fail or the pipeline is aborted, allowing proper cleanup and policy evaluation.
Freestyle Jobs
For freestyle jobs, add an Execute shell build step running endura job start as the first build step. Because freestyle jobs do not have a native “always run” post step, declarative pipelines are recommended for reliable stop handling. If you must use freestyle jobs, use a plugin such as Post build task to run endura job stop regardless of build result.
Verify the Configuration
Run a build to verify your configuration is working correctly.
Setup Instructions:
- Trigger a build of your pipeline in Jenkins
- Wait for the build to complete
- Log in to Team Server
- Click Pipelines in the main navigation menu
- Locate your Jenkins job in the pipeline list
- Click the Edit (pencil icon) button for the pipeline
- Click the Builds tab
- Verify that a new build entry appears for the build you just triggered
If the build appears in Team Server, your configuration is working correctly. Proceed to create and assign security policies.
Standardize Pipelines with Shared Libraries
For organizations managing many pipelines, adding the Endura stages to every Jenkinsfile individually does not scale. Jenkins Shared Libraries let you define reusable pipeline logic in a central repository and apply it across all pipelines.
Define a custom step in your shared library that wraps build work with the Endura start and stop commands. Create vars/enduraJob.groovy in your library repository:
// vars/enduraJob.groovy
def call(Closure body) {
try {
sh 'endura job start'
body()
} finally {
sh 'endura job stop'
}
}Pipelines then wrap their build steps with the enduraJob step:
pipeline {
agent { label 'endura' }
environment {
BUILD_BRANCH = "${env.BRANCH_NAME}"
}
stages {
stage('Build') {
steps {
enduraJob {
sh 'make build'
}
}
}
}
}Setup Instructions:
- Create a repository for your shared library containing
vars/enduraJob.groovy - In Jenkins, navigate to Manage Jenkins > System
- Under Global Pipeline Libraries, click Add and configure the library (name, default version, and source repository)
- Enable Load implicitly so the library is automatically available to all pipelines without an explicit
@Libraryannotation - Save the configuration
With the library loaded implicitly, every pipeline can use the enduraJob wrapper, and updates to the library propagate to all pipelines automatically.
Container-Based Builds
Jenkins can run build stages inside Docker containers using the docker agent. When using container-based builds, the Sensor configuration requires additional steps since the container does not have the Sensor pre-installed.
Requirements for Container Builds
For container-based builds to work with Endura:
- The Runtime Sensor must be installed on the agent host (the machine running the Jenkins agent and Docker daemon)
- The Sensor socket must be mounted into the build container to enable communication between the containerized build and the host Sensor
- The Endura CLI must be installed inside the container at the start of each build
Configure the Container Socket Mount and CLI Install
Mount the Sensor’s communication socket using the args of the docker agent, and install the Endura CLI inside the container before signaling the job start:
pipeline {
agent {
docker {
image 'node:20'
args '-v /run/endura/sensor.sock:/run/endura/sensor.sock'
}
}
environment {
BUILD_BRANCH = "${env.BRANCH_NAME}"
}
stages {
stage('Start Endura Job') {
steps {
sh 'curl -sSf https://repo.endurasecurity.com/install/endura-sensor/testing.sh | sh'
sh 'endura job start'
}
}
// ... your existing build stages ...
}
post {
always {
sh 'endura job stop'
}
}
}The installation script downloads and installs the Endura CLI, which then communicates with the Runtime Sensor on the host via the mounted socket.
Socket Mount is Required
Without the /run/endura/sensor.sock mount, the endura job start and endura job stop commands will fail to communicate with the Runtime Sensor. The Sensor runs on the agent host, not inside the container; the socket mount bridges this gap.
Downstream and Multibranch Pipelines
Jenkins pipelines can trigger downstream jobs, and multibranch pipelines run a separate pipeline per branch. Each pipeline runs independently. When instrumenting these with Endura:
- Instrument each pipeline (or use the shared library
enduraJobwrapper) that performs build work - Each pipeline operates independently from Endura’s perspective and can have its own security policy
- Create separate policies for jobs that perform different types of work (e.g., build vs. test vs. deploy)
- When deriving policies, run the full set of jobs so that each is exercised
Create and Assign Security Policies
With your builds reporting to Team Server, you can now create security policies tailored to your pipeline’s behavior. Endura’s derive mode makes this process straightforward by automatically generating a policy based on observed runtime behavior.
Understand Policy Modes
Security policies operate in one of three modes:
| Mode | Behavior |
|---|---|
derive | Monitor pipeline behavior and generate a baseline policy (initial setup) |
observe | Log policy violations without taking action (testing/refinement) |
enforce | Block unauthorized operations and fail builds on violations (production) |
The recommended workflow is: derive → observe → enforce.
Derive a Baseline Policy
When the Runtime Sensor runs without an assigned policy (or with a policy in derive mode), it monitors all runtime behavior and outputs a derived policy when the build completes.
Setup Instructions:
- Run a build in Jenkins that exercises your pipeline’s typical behavior
- Open the completed build in Jenkins and click Console Output
- Locate the output where
endura job stopran (thepostblock, or the end of theenduraJobwrapper) - Look for the text
# ENDURA DERIVED POLICYin the logs - Copy the entire policy that follows this marker; this is your baseline policy derived from actual runtime behavior
The derived policy contains rules based on what your pipeline actually did during execution: processes spawned, files accessed, network connections made, and more.
Create the Policy in Team Server
With the derived policy copied, create a formal policy in Team Server.
Setup Instructions:
- Log in to Team Server
- Click Policies in the main navigation menu
- Click the Create button
- Fill in the policy details:
- Name: Enter a descriptive name (e.g., “Jenkins - MyJob Build Policy”)
- Description: Enter a brief description (e.g., “Security policy for the MyJob CI/CD pipeline”)
- Version: Enter
1.0 - Policy: Paste the derived policy you copied from the Jenkins console output
- Review the policy and make any necessary adjustments (see the section below on refining policies)
- Change the mode from
derivetoobserve - Click Create
Assign the Policy to Your Pipeline
Link the policy to your Jenkins pipeline so the Sensor enforces it during builds.
Setup Instructions:
- In Team Server, navigate to Policies in the main navigation menu
- Locate your policy in the policy list
- Click the Assign Policy button (link icon) in the Actions column
- Search for your Jenkins job by name
- Select the pipeline by clicking its checkbox
- Click Assign to 1 Pipeline (or the appropriate count if assigning to multiple pipelines)
Refine the Policy
Derived policies capture exact behavior, which may be overly specific. Before moving to enforce mode, review and refine the policy:
Common refinements:
- Consolidate file paths: If a process writes many files to a directory (e.g.,
/home/user/workspace/build/), replace individual file entries with a directory pattern using wildcards - Remove ephemeral paths: Build artifacts in temporary directories may have unique names per build. Use patterns like
/tmp/*instead of specific paths - Group similar operations: Multiple similar rules can often be consolidated into more general patterns
- Remove redundant entries: The derived policy may include duplicate or overlapping rules
Testing in observe mode:
- Run several builds with the policy in observe mode
- After each build, check for violations in Team Server:
- Navigate to Pipelines and select your Jenkins job
- Click Edit (pencil icon)
- Click the Builds tab and select the latest build
- Click Violations to see any policy violations
- For each violation, determine whether it represents:
- Legitimate behavior: Update the policy to allow it
- Unexpected behavior: Investigate the cause before deciding
- Iterate until builds complete without unexpected violations
Enable Policy Enforcement
Once your policy is refined and builds run cleanly in observe mode, enable enforcement.
Setup Instructions:
- In Team Server, click Policies in the main navigation menu
- Locate your Jenkins policy
- Click the Edit Policy (pencil icon) button
- Update the policy:
- Change Version from
1.0to1.1(or your next version number) - Change mode from
observetoenforce
- Change Version from
- Click Save
- Enter a description of your change when prompted (e.g., “Enabled enforcement after observe mode testing”). Team Server maintains policy version history for audit purposes
- Click Save to confirm
Enforcement Behavior
With the policy in enforce mode, the Runtime Sensor will block unauthorized operations and fail builds when violations occur. Ensure you have thoroughly tested your policy in observe mode before enabling enforcement.
When a violation occurs in enforce mode:
- The Sensor takes immediate action (blocks the operation or terminates the offending process)
- The Jenkins build fails
- Violation details are reported to Team Server for review
- Notifications are sent via configured channels (e.g., Slack)
Next Steps
With Jenkins pipeline security configured, consider the following:
- Configure additional pipelines: Apply the same process to other Jenkins jobs and pipelines
- Explore policy capabilities: See the Security Policies documentation for detailed information on policy syntax, advanced rules, and best practices
- Set up notifications: Configure Slack integration to receive real-time alerts on policy violations
- Review audit history: Use Team Server’s policy version history to track changes and maintain compliance documentation