This article shows you how to create a test Jenkins Maven project that builds a Docker image and then scans it for vulnerability and compliance issues.
To configure Maven:
Go to the Jenkins top page.
Click Manage Jenkins.
Select Global Tool Configuration.
Scroll down to the Maven section (Not Maven Configuration), and click Add Maven.
To set up a Jenkins Maven project:
Go to the Jenkins top page.
Create a new project.
Click New Item.
In Item name, enter a name for your project.
Select Maven project.
Click OK.
Add a build step.
Scroll down to the Pre steps section.
In the Add pre-build step drop-down list, select Execute shell.
In the Command text box, enter the following:
echo "Creating Dockerfile..."
echo "FROM ubuntu:latest" > Dockerfile
echo 'CMD ["/bin/bash", "sleep 240"]' >> Dockerfile
echo 'docker build --no-cache -t dev/ubun2:test .' > build_image.sh
chmod +x build_image.sh
echo "Creating POM file..."
cat > pom.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>groupId</groupId>
<artifactId>artifactid</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>jar</packaging>
<name>projectName</name>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<build>
<plugins>
<plugin>
<artifactId>exec-maven-plugin</artifactId>
<groupId>org.codehaus.mojo</groupId>
<executions>
<execution>
<id>Build Image</id>
<phase>generate-sources</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<executable>build_image.sh</executable>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
EOF
Add a build step that scans the container images for vulnerabilities.
In the Add build step drop-down list, select Scan Twistlock Images.
Choose an action to take if the image contains packages with vulnerabilities.
Select a severity threshold (Low, Medium, High) to fail the build if a vulnerability is found. Or select Never fail, only warn to allow the complete build process to proceed even if there is a vulnerability.
Select the checkbox to ignore any vulnerabilities that do not have a vendor fix.
For example, if you select a threshold of High, and a package with a high severity image is found, the build will not be failed if no vendor fix is available.
Choose an action to take if the image has compliance issues.
Select a severity threshold (Low, Medium, High) to configure the build to fail if a compliance issue is found. For more information about how checks are scored, see CIS benchmarks.
Select Never fail, only warn to allow the complete build process to complete even if there are compliance issues.
In the Grace period field, specify an interval (in days) from when a vulnerability is discovered until when the threshold action is enforced.
This mechanism eliminates the need for admins to temporarily whitelist a CVE and manually maintain a list of exemptions. Instead, you can automatically grant your development teams time to schedule and implement a fix.
In the Image field, select the image to scan by specifying the repository and tag. You can use pattern matching expressions.
For example, enter: myimage:1.0
If the image you want to scan is created outside of this build, or if you want to scan the image every build, even if the build might not generate an new image, then click Advanced, and select Ignore image creation time. |
Add a post-build action so that image scan results can be viewed in a Jenkins dashboard.
Scroll down to Post-build Actions.
In the Add post-build action dropdown menu, select Publish Twistlock analysis results.
In the Image field, select the image to report. You can use pattern matching expressions.
For example, enter: myimage:1.0
Click Save to save your project configuration.
Click Build Now to start a build.
After the build completes, examine the results. Scan reports are available in the following locations:
Twistlock Console: Log into Console, and go to Monitor > Vulnerabilities > Jenkins Jobs.
Jenkins: Drill down into the build job, then click Vulnerabilities to see a detailed report.