Repository files navigation

• NeuVector Vulnerability Scanner Jenkins Plugin
• Description
• Notes
• Requirements
• Setup the configuration in Jenkins
  • Controller & Scanner
  • Standalone
  • How to set up in build setp / pipeline
• Setup K8s plugin in Jenkins
  • Set up the k8s machine in jenkins server
  • Pipeline example to run K8s agent mode

This is a Jenkins Plugin to do security vulnerabilities scanning on registries and local images with the NeuVector Scanner.

• It supports two scan modes. By default, it uses theController & Scanner mode.
  • Standalone mode, run the service inside the docker images
  • Controller & Scanner mode, run the service inside external controller
• Support running jenkins pod with K8s agent mode from 2.2+
• Support multi-controller endpoint from 2.4+

• For theController & Scanner mode, you need to install the NeuVector controller and scanner in the network. To scan the local image (the image on the Jenkins machine), theController & Scanner needs to be installed on the node where the image exists.

• For the standalone mode, Docker must be installed on the same host with Jenkins. Also, addjenkins user to thedocker group.

  sudo usermod -aG docker jenkins

• If you run the Jenkins as a container, remember to mount a host directory-v /var/jenkins_home:/var/jenkins_home

  For example,
  

  docker run -p 8080:8080 -v /var/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:lts

  If you want to mount a host directory which is not/var/jenkins_home, for example/home/neuvector/jenkins_home. Please remember to add an environment variableJENKINS_MOUNT_PATH='/home/neuvector/jenkins_home'

  For example,
  

  • docker CLI

    docker run -p 8080:8080 -e JENKINS_MOUNT_PATH='/home/neuvector/jenkins_home' -v /home/neuvector/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:lts

  • docker-compose.yml

        jenkins-node:    image: jenkins/jenkins:lts    container_name: jenkins-node    user: root    ports:        - 8080:8080        - 50000:50000    volumes:        - /home/neuvector/jenkins_home:/var/jenkins_home        - /usr/bin/docker:/usr/bin/docker        - /var/run/docker.sock:/var/run/docker.sock:ro    environment:        - JENKINS_MOUNT_PATH=/home/neuvector/jenkins_home

After installing the plugin, you will find theNeuVector Vulnerability Scanner section in the global configuration page (Jenkins UI > Manage Jenkins > Configure System), and the first section you will see is to configureController & Scanner, then is the Standalone section.

• Once you have done the following settings, you may click theTest Connection button to validate the values. It will showConnection Success or an error message.
• Supports multi-controller mode, allowing users to set up multiple controllers as servers and select one when generating the pipeline. If no controller is selected, the one named "default" will be chosen automatically.
• The controller endpoint name must be unique. If a duplicate is detected, it will be automatically removed when the user clicks the save button.

1. Enter values for theController & Scanner mode which includes the NeuVector Scanner source name, controller rest api url, username, and password.
2. TLS certificate check will check the consistency of between the certificate you provide inNeuVector Server Certificate and the server. Here is how we find the certificate in your server.
   1. Access into the pod of the expose cluster
   2. File location should/etc/neuvector/certs/ssl-cert.pem
   3. Copy the content and paste it here as the certificate.
3. You can disable TLS check by by clicking "Skip TLS certificate check".
4. The timeout minutes value will terminate the build step within the time entered. The default value of 0 means no timeout will occur

In your project configuration page, choose theNeuVector Vulnerability Scanner plugin from the drop down menu in the 'Add build step' / 'pipeline', these two have simiar configure pages.

1. Check the checkbox "Scan with Standalone scanner" if you want to do the scan in the standalone scanner mode. By default, it usesController & Scanner mode to do the scan.
2. Choose the controller endpoint you want to use if user select the controller mode, user can ignore it if select the standalone mode.
3. Define the registry in the global config page and choose the registry name here. Enter the repository (image) name and tag name. You may choose Jenkins default environment variables for the repository or tag. e.g. $JOB_NAME, $BUILD_TAG, $BUILD_NUMBER.
4. Enter the values for the number of high or medium, the vulnerability names that present to fail the build, the vulnerability names that are exempt from the scan. If you choose "Scan with Standalone", the scan timeout is 10 minutes by default.
5. Finish the config, go back to the project page then click build. When the build finishes, a NeuVector report will be generated.

Here we provide an example pipeline from our testing machine.

pipeline {    agent {// kubernetes represent the machine name.      kubernetes {        yaml'''        apiVersion: v1        kind: Pod        spec:          containers:          - name: docker            image: docker:dind            command: ["/bin/sh", "-c"]            args: ["dockerd & sleep infinity"]            securityContext:              privileged: true              runAsUser: 0          imagePullSecrets:            - name: my-dockerhub-secret'''      }    }    stages {        stage('docker pull') {            steps {// run the docker we declare above                container('docker') {                    script {                        neuvectornameOfVulnerabilityToExemptFour:'',nameOfVulnerabilityToExemptOne:'',nameOfVulnerabilityToExemptThree:'',nameOfVulnerabilityToExemptTwo:'',nameOfVulnerabilityToFailFour:'',nameOfVulnerabilityToFailOne:'',nameOfVulnerabilityToFailThree:'',nameOfVulnerabilityToFailTwo:'',numberOfHighSeverityToFail:'',numberOfMediumSeverityToFail:'',controllerEndpointUrlSelection:'your controller Endpoint',registrySelection:'your registry',repository:'your repo',scanTimeout:10,standaloneScanner:true,tag:'some tag',registrySelection:'your choice'                    }                }            }        }    }}