Stay organized with collections
Save and categorize content based on your preferences.
You can use the Google Analyze Code Security plugin for
Jenkins to validate
the infrastructure as code (IaC) that is part of your Jenkins project.
Validating IaC lets you determine whether your Terraform resource definitions
violate the existing organization policies and
Security Health Analytics detectors that are applied to your Google Cloud resources.
In the Jenkins console, click Manage Jenkins > Manage Plugins.
In the Available tab, search for google-analyze-code-security.
Complete the installation steps.
Click Manage Jenkins > Configure System.
In the Google Analyze Code Security section, click Add credential.
In Organization ID, enter the organization ID for the Google Cloud
organization that includes the Terraform resources that you want to create or
modify.
In Security Command Center Credential, add the service account key.
Test the connection to verify the service account credentials.
In the Jenkins console, in your Jenkins freestyle project, go to the
Configuration page.
Click Source Code Management.
In Repository URL, enter the URL to the Terraform code that you created.
Click Build steps.
Add the following steps:
Initialize Terraform:
terraform init
Create a Terraform plan file.
terraform plan -out=TF_PLAN_FILE
Replace TF_PLAN_FILE with the name for the Terraform plan
file. For example, myplan.tfplan.
Convert your plan file into JSON format:
terraform show -no-color -json TF_PLAN_FILE > TF_PLAN_JSON_FILE
Replace TF_PLAN_JSON_FILE with the name for the Terraform
plan file, in JSON format. For example, mytfplan.json.
Add the plug-in to your Jenkins project
In the Jenkins console, in your Jenkins freestyle project, go to the
Configuration page.
In Build Steps, click Add build step > Perform Code Scan during
Build.
Enter your organization ID.
Provide the path to your Terraform plan file, in JSON format.
Optional: Set the build failure criteria. The failure criteria is based on
the number of critical, high, medium, and low severity issues that the IaC
validation scan encounters. You can specify how many issues of each severity
are permitted and how the issues are aggregated (either AND or
OR).
Click Fail on Asset Violation.
If you want the build to fail only if the count of issues from all
severity levels is reached, select AND. If you want the build to fail
if the count of issues from any severity level is reached, select OR.
For example, if you want the build to fail if it encounters one critical
issue or one high severity issue, set the aggregate value to OR.
Indicate the number of issues at the various severity levels that you want
to permit before the build fails.
If you don't want to specify a failure criteria, select Ignore Asset
Violation.
Click Save.
You can now run the build to validate your Terraform plan file.
View the IaC violation report
In the Jenkins console, click the most recent workflow for your build.
Click Status. The following HTML files are available as build artifacts:
If the plug-in ran, the violation report (GoogleAnalyzeCodeSecurity_ViolationSummary.html)
The report groups violations by severity. The violation section describes
which rule wasn't met and the asset ID from the Terraform plan that violated
the rule.
If the build failed, an error summary report
Resolve any violations within your Terraform code before applying it.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Integrate IaC validation with Jenkins\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can use the [Google Analyze Code Security plugin for\nJenkins](https://plugins.jenkins.io/google-analyze-code-security/) to validate\nthe infrastructure as code (IaC) that is part of your Jenkins project.\nValidating IaC lets you determine whether your Terraform resource definitions\nviolate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nIaC validation only works with [Jenkins freestyle\nprojects](https://www.jenkins.io/doc/book/using/working-with-projects/).\n\nBefore you begin\n----------------\n\nComplete these tasks to get started with IaC validation with Jenkins.\n\n### Activate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\n### Create a service account\n\nCreate a service account that you can use for the Google Analyze Code Security\nplugin for Jenkins.\n\n1.\n Create a service account:\n\n 1.\n In the Google Cloud console, go to the **Create service account** page.\n\n [Go to Create service account](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create?supportedpurview=project)\n 2. Select your project.\n 3.\n In the **Service account name** field, enter a name. The Google Cloud console fills\n in the **Service account ID** field based on this name.\n\n\n In the **Service account description** field, enter a description. For example,\n `Service account for quickstart`.\n 4. Click **Create and continue**.\n 5.\n Grant the **Security Posture Shift-Left Validator** role to the service account.\n\n\n To grant the role, find the **Select a role** list, then select\n **Security Posture Shift-Left Validator**.\n | **Note** : The **Role** field affects which resources the service account can access in your project. You can revoke these roles or grant additional roles later.\n 6. Click **Continue**.\n 7.\n Click **Done** to finish creating the service account.\n\n\n Do not close your browser window. You will use it in the next step.\n2.\n Create a service account key:\n\n 1. In the Google Cloud console, click the email address for the service account that you created.\n 2. Click **Keys**.\n 3. Click **Add key** , and then click **Create new key**.\n 4. Click **Create**. A JSON key file is downloaded to your computer.\n 5. Click **Close**.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level\nactivations](/security-command-center/docs/access-control-org).\n\n### Define your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nInstall and configure the plug-in\n---------------------------------\n\n1. In the Jenkins console, click **Manage Jenkins** \\\u003e **Manage Plugins**.\n2. In the **Available** tab, search for **google-analyze-code-security**.\n3. Complete the installation steps.\n4. Click **Manage Jenkins** \\\u003e **Configure System**.\n5. In the **Google Analyze Code Security** section, click **Add credential**.\n6. In **Organization ID**, enter the organization ID for the Google Cloud organization that includes the Terraform resources that you want to create or modify.\n7. In **Security Command Center Credential**, add the service account key.\n8. Test the connection to verify the service account credentials.\n9. Click **Save**.\n\nCreate your Terraform plan JSON file\n------------------------------------\n\n1. Create your Terraform code. For instructions, see\n [Create your Terraform code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\n2. Install the [Terraform plugin for Jenkins](https://plugins.jenkins.io/terraform/).\n\n3. In the Jenkins console, in your Jenkins freestyle project, go to the\n **Configuration** page.\n\n4. Click **Source Code Management**.\n\n5. In **Repository URL**, enter the URL to the Terraform code that you created.\n\n6. Click **Build steps**.\n\n7. Add the following steps:\n\n 1. Initialize Terraform:\n\n terraform init\n\n 2. Create a Terraform plan file.\n\n terraform plan -out=\u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e with the name for the Terraform plan\n file. For example, `myplan.tfplan`.\n 3. Convert your plan file into JSON format:\n\n terraform show -no-color -json \u003cvar translate=\"no\"\u003eTF_PLAN_FILE\u003c/var\u003e \u003e \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eTF_PLAN_JSON_FILE\u003c/var\u003e with the name for the Terraform\n plan file, in JSON format. For example, `mytfplan.json`.\n\nAdd the plug-in to your Jenkins project\n---------------------------------------\n\n1. In the Jenkins console, in your Jenkins freestyle project, go to the **Configuration** page.\n2. In **Build Steps** , click **Add build step** \\\u003e **Perform Code Scan during\n Build**.\n3. Enter your organization ID.\n4. Provide the path to your Terraform plan file, in JSON format.\n5. Optional: Set the build failure criteria. The failure criteria is based on\n the number of critical, high, medium, and low severity issues that the IaC\n validation scan encounters. You can specify how many issues of each severity\n are permitted and how the issues are aggregated (either **AND** or\n **OR**).\n\n 1. Click **Fail on Asset Violation**.\n\n 2. If you want the build to fail only if the count of issues from all\n severity levels is reached, select **AND** . If you want the build to fail\n if the count of issues from any severity level is reached, select **OR** .\n For example, if you want the build to fail if it encounters one critical\n issue *or* one high severity issue, set the aggregate value to **OR**.\n\n 3. Indicate the number of issues at the various severity levels that you want\n to permit before the build fails.\n\n If you don't want to specify a failure criteria, select **Ignore Asset\n Violation**.\n6. Click **Save**.\n\nYou can now run the build to validate your Terraform plan file.\n\nView the IaC violation report\n-----------------------------\n\n1. In the Jenkins console, click the most recent workflow for your build.\n\n2. Click **Status**. The following HTML files are available as build artifacts:\n\n - If the plug-in ran, the violation report (`GoogleAnalyzeCodeSecurity_ViolationSummary.html`)\n\n The report groups violations by severity. The violation section describes\n which rule wasn't met and the asset ID from the Terraform plan that violated\n the rule.\n - If the build failed, an error summary report\n3. Resolve any violations within your Terraform code before applying it.\n\nWhat's next\n-----------\n\n- View the [Google Analyze Code Security plugin](https://plugins.jenkins.io/google-analyze-code-security/)."]]
