Cloud Infrastructure Testing
for Jenkins Pipeline Deployments

Get a smarter pipeline that catches critical cloud configuration and endpoint security issues on the spot.

Testing in your Jenkins pipeline should go beyond code-based tools like source code security scanning and unit testing frameworks. With CloudCoreo, you can extend testing to the post-deployment portion of your pipeline jobs.

CloudCoreo’s cloud infrastructure testing allows you to check anything that is based on a cloud API, or based on the inspection of an endpoint (like an instance, server, or container). Most tools that do similar checking use “over the top” audits that check every object in your cloud account without knowing anything about its CI/CD context, how it was provisioned, or whether it’s critical to the business. The result is a new silo between the cloud security team and the cloud application development team, both of which might be deploying DevOps technology, but are operating with different tools, contexts, and priorities.

CloudCoreo takes a different approach, performing cloud infrastructure checks at build time, by leveraging a Jenkins plugin that integrates directly into your existing pipeline.

When your pipeline executes, our transparent proxy captures traffic to supported cloud API’s, runs configured checks on the fly, and presents the results back to the pipeline. Just like any Jenkins build, results can then be used to send notifications, fail builds, or trigger rollbacks.

The result is a smarter pipeline, one that catches critical cloud configuration and endpoint security issues on the spot, immediately after the developer checks the vulnerability into a CloudFormation template, or triggers a build.

CloudCoreo’s checks enable a wide variety of pipeline tests, including…


  • Best Practice Checks like all AWS S3 buckets should have logging enabled
  • Security Compliance like no AWS EC2 security group should allow unlimited ssh ingress
  • Standards Enforcements like no cloud object in my application should violate any high severity CIS check

CloudCoreo offers hundreds of pre-built checks out of the box, including AWS Best Practices, CIS AWS Foundations Benchmark, NIST 800-171, and more. Plus, since all our checks are code written in a source-based DSL, customization is easy. Any developer can add, delete, or modify existing checks, or create new checks to create policies that are optimal for your organization and your application.

Since we run in the context of a pipeline build, policies that are application specific can also be written, allowing users to construct checks that cover the entire application stack, not just cloud infrastructure or OS-level endpoint checks.

The result is real time visibility and enforcement of the checks that protect your applications and help you to work with your security team most effectively.


Just like any Jenkins build, results can then be used to send notifications, fail builds, or trigger rollbacks.


  • If any high severity check fails,
    fail the build and run a rollback script

  • If any medium severity check fails,
    notify the security team’s Slack channel

  • If the resources created by a build exceed a cost threshold,
    send an email alert to the application director

  • If a vulnerability is detected on an endpoint (e.g. the heartbleed vulnerability)
    write a Jira ticket