In this blog post we’ll cover how to implement Docker Scanning for Jenkins with the Sysdig Secure Jenkins plugin. The plugin can be used in both freestyle and pipeline jobs to scan images and fail the build if the image fails a policy evaluation.
The deployment model of containers has made it incredibly easy for organizations to adopt continuous delivery processes. However, all the efficiencies gained in packaging and building applications can’t be realized if the end result is unstable and insecure software. By prioritizing container security organizations can proactively address risk in applications before they are deployed in production, or even pushed into a registry.
Fail Fast: The Benefits of CI/CD Security
It’s always easier to fix issues when they’re not in production. By integrating Sysdig Secure with your CI/CD pipeline with Jenkins or any other tool a step is added to evaluate Docker images for security, compliance, and reliability before deploying images to production.
Here are a couple examples of things we’ve seen organizations want to know about images before they’re deployed into production.
Security
- Does the image have critical vulnerabilities with a fix?
- Are there secrets or credentials exposed in the image?
- Does this image have exposed ports that I’ve blacklisted?
Compliance
- What license types is the image using?
- Is this image built on an distribution our organization doesn’t use?
Reliability
- Does my image have health checks?
- Are my developers building large images that can impact our infrastructure?
- Are my developers using an unofficial version of Ruby, Node, Java, or Python packages?
Scanning Docker Images built with Jenkins
There’s a couple prerequisites to cover before scanning Docker images built within Jenkins.
- Have a SaaS or On-prem installation of Sysdig Secure
- Install the Sysdig Secure Jenkins Plugin
- Configure the plugin to integrate with Sysdig Secure (shown below)
Creating Docker Image Scanning Policies for Jenkins in Sysdig Secure
Once Sysdig Secure and Jenkins are integrated, it’s time to set up a policy to be used by the Jenkins plugin. Note: This is not required and the plugin will use the default policy within Sysdig Secure if a custom policy is not configured.
Navigate to the Scanning Policies page within Sysdig Secure and click on Add Policy to get started. You can easily configure rules to map to the security, compliance, and reliability uses cases we provided above plus many more.
The last step of creating a rule is to assign an action of Warn or Stop. The Stop action can be used to fail a build and prevent the image from moving into production.
Scanning Docker Images as part of the CI/CD Pipeline with Jenkins
Once you’ve set up a policy it’s time to integrate that policy evaluation into an existing build process within Jenkins. Full documentation can be seen in the Sysdig Secure Jenkins Plugin documentation.
First, add the additional build step Sysdig Secure Container Image Scanner:
Then you’ll have options to define which policy you’d like this job to reference and whether or not to fail a build based on a policy failed policy evaluation (if there are any stop actions).
Reporting on Docker Image Risk and Compliance within Jenkins
After the next build an additional Sysdig Secure Report artifact will now be available in Jenkins.
By clicking into the Sysdig Secure Report you’ll get an summary of the policy evaluation broken down by the different stop or warn actions that were generated from the policy.
To dive further into a report about the specific vulnerabilities of an image click on the Security tab and a page specific to vulnerabilities will open.
Read more here about our container and Kubernetes compliance solutions.
Tying it all together
All this data is also sent to the Sysdig Secure UI where you can get further details about the image, OS package information, configuration files, discovered vulnerabilities and any possible leaked secrets or credentials, and a view into if & where this image is currently running in your environment.
Also it’s worth noting that everything you see here can also be accomplished directly via the API. So if you’re using other CI/CD tools besides Jenkins we’ll easily integrate with those as well.
If you’d like to learn more about how Sysdig Secure can integrate with your CI/CD to help manage risk, compliance, and reliability check out this How to manage vulnerabilities in container environments online session.