Twistlock provides a Jenkins plugin that lets you incorporate vulnerability scanning into your continuous integration pipeline.
The Jenkins plugin is delivered with the release tarball that you download from Releases.
In order to interoperate, both Console and the Jenkins plugin must be from the same release. |
The Jenkins plugin is built for Jenkins on Linux. To scan images with Jenkins on other operating systems, use a platform-specific twistcli binary. |
After Jenkins builds a container image, the Twistlock plugin scans it for vulnerabilities and compliance issues.
Twistlock can pass or fail a build, depending on the types of vulnerability and compliance issues discovered, and the policies you set up in Console. By incorporating scanning into the build phase of the development workflow, engineers get immediate feedback about what needs to be fixed. The scan report provides all the information required to fix the vulnerabilities.
The sequence of events is described below:
An engineer commits a change for a container under development. The commit triggers a build.
Jenkins builds the container image.
As part of the build process, Jenkins calls the Twistlock plugin. The plugin collects data about the image, including the packages and binaries in the image, and submits it to Console for analysis.
Console returns a list of vulnerabilities and compliance issues.
The Twistlock plugin passes or fails the build depending upon your configuration and policy.
For more information about configuring a scan, see: Setting up a Freestyle project, Setting up a Maven project, or Setting up a Pipeline project.
For more information about targeting rules created in Console to the Jenkins plugin, see Set policy in the CI plugins.
The results are displayed in the following places:
In Jenkins, within the project/job page, or relevant dashboard view.
In Twistlock Console, on the Monitor > Vulnerabilities > Jenkins Jobs page.
When scanning multiple images in a single build, results do not appear correctly in the Jenkins dashboard view or vulnerability trends table/graph. Only trend data for the last image scanned is shown. Instead, go to Console to see scan results for all images in the build. |
Your version of Jenkins meets Twistlock’s minimum requirements.
You have installed Twistlock Console on a host in your environment.
Your Jenkins host can reach Twistlock Console over the network.
We recommend adding a Twistlock user with the CI User role to minimize privileges on Console. For more information, see User roles.
Validate that the Jenkins host can communicate with Twistlock Console.
Open the Jenkins top page.
Install the plugin dependencies.
The Twistlock plugin depends on the Dashboard View and Static Analysis Utilities plugins.
Click Manage Jenkins > Manage Plugins, and then click on the Available tab.
In the Filter text box, enter Dashboard View.
Select the checkbox for the Dashboard View plugin.
In the Filter text box, enter Static Analysis Utilities.
Select the checkbox for the Static Analysis Utilities plugin.
Click Install without restart.
Install the Twistlock plugin.
The Twistlock Jenkins plugin is an .hpi file that is delivered as a part of the tarball you downloaded from Builds and release notes.
Click Manage Plugins (in the left menu bar), and then click the Advanced tab.
Scroll down to Upload Plugin, and click Choose File.
Navigate to the folder where you unpacked the Twistlock download and select twistlock-jenkins-plugin.hpi.
Click Upload.
Configure the Twistlock plugin.
Go to the Jenkins top page, and then click Manage Jenkins > Configure System.
Scroll down to the Twistlock section.
In the Address field, enter the URL for Twistlock Console.
In the User and Password fields, enter the CI role user’s credentials for Twistlock Console.
Click Test Connection to validate that the Jenkins plugin can communicate with Twistlock Console.
Click Save.
The build console output in Jenkins may show the message - "No CA cert was specified, using insecure connection". This message is generated because twistcli (which the Jenkins plugin wraps) checks the Console’s trust chain by default. When twistcli is run directly, the --tlscacert parameter can be passed to specify the signer, so this message is not shown. To simplify configuration, the Jenkins plugin doesn’t provide this option, hence why the message is shown. The connection between Jenkins and Console is still fully encrypted with TLS. |
The Twistlock plugin provides a number of portlets that you can add to your dashboard to visualize the vulnerabilities in your images.
This portlet summarizes the vulnerabilities in each image:
Total number of vulnerabilities.
Number of high severity vulnerabilities (CVSS base score 7.0-10.0)
Number of medium severity vulnerabilities (CVSS base score 4.0-6.9)
Number of low severity vulnerabilities (CVSS base score 0.0-3.9)
This portlet displays a bar chart, where each bar represents a build of your image. Each bar has two components:
Number of new vulnerabilities introduced into this build (red).
Number of vulnerabilities fixed in this build (blue).
This portlet shows how the mix of vulnerabilities changes with each build of your project.
High severity vulnerabilities - Red
Medium severity vulnerabilities - Yellow
Low severity vulnerabilities - Blue
Y-axis: Number of vulnerabilities. X-axis: Build dates.
The dashboard can be set up with Twistlock visualizations to show you the vulnerabilities in your builds and how they have changed over time.
Go to the Jenkins top page.
Click the + button to create a new view.
Enter a name for your view, select Dashboard, then click OK.
Under Job Filters, select which jobs should be displayed in this view.
For example, you might set Status Filter to All selected jobs. And then under Jobs, select any job that builds a Docker image.
Add Twistlock portlets to your dashboard.
In the drop-down menus for adding portlets to the top, left, right, and bottom of the page, you have the option to add:
Vulnerabilities per image.
Vulnerabilities trend graph (new vs fixed)
Vulnerabilities trend graph (priority distribution)
Vulnerability trend graph (total).
Click OK.
The following screenshot shows an example view named Twistlock. It is applied to two jobs: test and test_pipeline. It displays just a single portlet: Vulnerabilities per image.
When a build completes, you can view the scan results directly in Jenkins. To support integration with other processes and applications in your organization, Twistlock scan reports can be retrieved from several locations.
Full scan reports for the latest build can be retrieved from:
The project’s workspace in a file named twistlock.json.
The
Twistlock API.
For more information, see the endpoint for downloading an image’s health (GET /api/v1/images/download
).
For example, if you use ThreadFix to maintain a consolidated view of vulnerabilities across all your organization’s applications, you could create a post-build action which triggers ThreadFix’s Jenkins plugin to grab Twistlock’s scan report from the project workspace and upload it to the ThreadFix server.
To download the scan report from Console using the Twistlock API, use the following command:
$ curl \
-H "Accept: application/json, text/plain" \
-H "Content-type: application.json" \
-u username:password \
'https://<CONSOLE>:8083/api/v1/images/download?Search=<IMAGE_REPO:TAG>' \
> scan_report.csv
A common stumbling point is the "Ignore Image Build Time" option. This option checks the time the image was created against the time your Jenkins build started. If the image was not created after the start of your current build, the scan is bypassed. The plugin, by default, scans any image generated as part of your build process, but ignores images not created or updated as part of the build.
Keep in mind the nature of Docker creation time in regards to images. If nothing changes in the image, the creation time isn’t updated. This could lead to a scenario where an image is built and scanned in one job, but not scanned in subsequent jobs because the creation time wasn’t updated because the image didn’t change.
Most pipelines push images to the registry after passing Twistlock’s vulnerability and compliance scan step. Pipelines also have a final cleanup step that removes images from the local Docker cache. If your build fails, and the pipeline is halted, use a post section to clean up the Docker cache. The post section of a pipeline is guaranteed to run at the end of a pipeline’s execution.
For more information, see the Jenkins documentation.