Skip to content

Commit

Permalink
Update Jenkins example
Browse files Browse the repository at this point in the history
  • Loading branch information
ramanan-ravi committed Dec 24, 2024
1 parent db20454 commit f953fd6
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 55 deletions.
69 changes: 14 additions & 55 deletions ci-cd-integrations/jenkins/README.md
Original file line number Diff line number Diff line change
@@ -1,58 +1,17 @@
# Jenkins example for Deepfence Vulnerability Mapper
# Jenkins example

This project demonstrates using Deepfence Vulnerability Mapper in Jenkins build pipeline.
After customer's image is built, Deepfence Vulnerability Mapper is run on the image and results are sent to Deepfence management console for further analysis.
There is also an option to fail the build in case number of vulnerabilities crosses given limit.
### Vulnerability Scan

| Variable | Description |
|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| def deepfence_mgmt_console_url = '' | Deepfence management console url |
| def deepfence_key = "" | API key can be found on settings page of the deepfence |
| def fail_cve_count = 100 | Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities. |
| def fail_critical_cve_count = 1 | Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities. |
| def fail_high_cve_count = 5 | Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities. |
| def fail_medium_cve_count = 10 | Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities. |
| def fail_low_cve_count = 20 | Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities. |
| def fail_cve_score = 8 | Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. |
| def mask_cve_ids = "" | Comma separated. Example: "CVE-2019-9168,CVE-2019-9169" |
| def deepfence_license = "" | ThreatMapper or ThreatStryker |
| def deepfence_product = "" | ThreatMapper or ThreatStryker license key |
Please refer the following files
- vulnerabilities_scripted_pipeline.Jenkinsfile
- vulnerabilities_declarative_pipeline.Jenkinsfile

## Steps
- Ensure `quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2` image is present in the vm where jenkins is installed.
```shell script
docker pull quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2
```
### Scripted Pipeline
```
stage('Run Deepfence Vulnerability Mapper'){
DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2")
try {
c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'")
sh "docker logs -f ${c.id}"
def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true
sh "exit ${out}"
} finally {
c.stop()
}
}
```
### Declarative Pipeline
```
stage('Run Deepfence Vulnerability Mapper'){
steps {
script {
DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2")
try {
c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'")
sh "docker logs -f ${c.id}"
def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true
sh "exit ${out}"
} finally {
c.stop()
}
}
}
}
```
- Set `deepfence_mgmt_console_url`, `fail_cve_count` variables in Jenkinsfile
### Secret Scan

Please refer the following file
- secrets.Jenkinsfile

### Malware Scan

Please refer the following file
- malwares.Jenkinsfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
node {
def app
def full_image_name = 'deepfenceio/jenkins-example:latest'
def deepfence_mgmt_console_url = '127.0.0.1' // URL address of Deepfence management console Note - Please do not mention port
def fail_cve_count = 100 // Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities.
def fail_critical_cve_count = 1 // Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities.
def fail_high_cve_count = 5 // Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities.
def fail_medium_cve_count = 10 // Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities.
def fail_low_cve_count = 20 // Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities.
def fail_cve_score = 8 // Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.
def mask_cve_ids = "" // Comma separated. Example: "CVE-2019-9168,CVE-2019-9169"
def deepfence_key = "" // API key can be found on settings page of the deepfence
def deepfence_license = "" // ThreatMapper or ThreatStryker
def deepfence_product = "" // ThreatMapper or ThreatStryker license key

stage('Clone repository') {
checkout scm
}

stage('Build image') {
app = docker.build("${full_image_name}", "-f ci-cd-integrations/jenkins/Dockerfile .")
}

stage('Run Deepfence Vulnerability Mapper'){
steps {
script {
DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2")
try {
c = DeepfenceAgent.run("-it --net=host --privileged -v /var/run/docker.sock:/var/run/docker.sock:rw", "-deepfence-key=${deepfence_key} -console-url=${deepfence_mgmt_console_url} -product=${deepfence_product} -license=${deepfence_license} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'")
sh "docker logs -f ${c.id}"
def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true
sh "exit ${out}"
} finally {
c.stop()
}
}
}
}

}

0 comments on commit f953fd6

Please sign in to comment.