-
Notifications
You must be signed in to change notification settings - Fork 596
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
db20454
commit f953fd6
Showing
3 changed files
with
54 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,58 +1,17 @@ | ||
# Jenkins example for Deepfence Vulnerability Mapper | ||
# Jenkins example | ||
|
||
This project demonstrates using Deepfence Vulnerability Mapper in Jenkins build pipeline. | ||
After customer's image is built, Deepfence Vulnerability Mapper is run on the image and results are sent to Deepfence management console for further analysis. | ||
There is also an option to fail the build in case number of vulnerabilities crosses given limit. | ||
### Vulnerability Scan | ||
|
||
| Variable | Description | | ||
|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------| | ||
| def deepfence_mgmt_console_url = '' | Deepfence management console url | | ||
| def deepfence_key = "" | API key can be found on settings page of the deepfence | | ||
| def fail_cve_count = 100 | Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities. | | ||
| def fail_critical_cve_count = 1 | Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities. | | ||
| def fail_high_cve_count = 5 | Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities. | | ||
| def fail_medium_cve_count = 10 | Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities. | | ||
| def fail_low_cve_count = 20 | Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities. | | ||
| def fail_cve_score = 8 | Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. | | ||
| def mask_cve_ids = "" | Comma separated. Example: "CVE-2019-9168,CVE-2019-9169" | | ||
| def deepfence_license = "" | ThreatMapper or ThreatStryker | | ||
| def deepfence_product = "" | ThreatMapper or ThreatStryker license key | | ||
Please refer the following files | ||
- vulnerabilities_scripted_pipeline.Jenkinsfile | ||
- vulnerabilities_declarative_pipeline.Jenkinsfile | ||
|
||
## Steps | ||
- Ensure `quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2` image is present in the vm where jenkins is installed. | ||
```shell script | ||
docker pull quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2 | ||
``` | ||
### Scripted Pipeline | ||
``` | ||
stage('Run Deepfence Vulnerability Mapper'){ | ||
DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2") | ||
try { | ||
c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'") | ||
sh "docker logs -f ${c.id}" | ||
def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true | ||
sh "exit ${out}" | ||
} finally { | ||
c.stop() | ||
} | ||
} | ||
``` | ||
### Declarative Pipeline | ||
``` | ||
stage('Run Deepfence Vulnerability Mapper'){ | ||
steps { | ||
script { | ||
DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2") | ||
try { | ||
c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'") | ||
sh "docker logs -f ${c.id}" | ||
def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true | ||
sh "exit ${out}" | ||
} finally { | ||
c.stop() | ||
} | ||
} | ||
} | ||
} | ||
``` | ||
- Set `deepfence_mgmt_console_url`, `fail_cve_count` variables in Jenkinsfile | ||
### Secret Scan | ||
|
||
Please refer the following file | ||
- secrets.Jenkinsfile | ||
|
||
### Malware Scan | ||
|
||
Please refer the following file | ||
- malwares.Jenkinsfile |
40 changes: 40 additions & 0 deletions
40
ci-cd-integrations/jenkins/vulnerabilities_declarative_pipeline.Jenkinsfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
node { | ||
def app | ||
def full_image_name = 'deepfenceio/jenkins-example:latest' | ||
def deepfence_mgmt_console_url = '127.0.0.1' // URL address of Deepfence management console Note - Please do not mention port | ||
def fail_cve_count = 100 // Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities. | ||
def fail_critical_cve_count = 1 // Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities. | ||
def fail_high_cve_count = 5 // Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities. | ||
def fail_medium_cve_count = 10 // Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities. | ||
def fail_low_cve_count = 20 // Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities. | ||
def fail_cve_score = 8 // Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score. | ||
def mask_cve_ids = "" // Comma separated. Example: "CVE-2019-9168,CVE-2019-9169" | ||
def deepfence_key = "" // API key can be found on settings page of the deepfence | ||
def deepfence_license = "" // ThreatMapper or ThreatStryker | ||
def deepfence_product = "" // ThreatMapper or ThreatStryker license key | ||
|
||
stage('Clone repository') { | ||
checkout scm | ||
} | ||
|
||
stage('Build image') { | ||
app = docker.build("${full_image_name}", "-f ci-cd-integrations/jenkins/Dockerfile .") | ||
} | ||
|
||
stage('Run Deepfence Vulnerability Mapper'){ | ||
steps { | ||
script { | ||
DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2") | ||
try { | ||
c = DeepfenceAgent.run("-it --net=host --privileged -v /var/run/docker.sock:/var/run/docker.sock:rw", "-deepfence-key=${deepfence_key} -console-url=${deepfence_mgmt_console_url} -product=${deepfence_product} -license=${deepfence_license} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'") | ||
sh "docker logs -f ${c.id}" | ||
def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true | ||
sh "exit ${out}" | ||
} finally { | ||
c.stop() | ||
} | ||
} | ||
} | ||
} | ||
|
||
} |
File renamed without changes.