echo "Creating Dockerfile..." echo "FROM ubuntu:latest" > Dockerfile echo 'CMD ["/bin/bash", "sleep 240"]' >> Dockerfile docker build --no-cache -t dev/ubun2:test .
Jenkins Freestyle projects let you create general-purpose build jobs with maximum flexibility.
This article shows you how to create a test Freestyle project that builds a Docker image and then scans it for vulnerability and compliance issues.
To set up a Jenkins Freestyle project:
Go to the Jenkins top page.
Create a new project.
Click New Item.
In Enter an item name, enter a name for your project.
Select Freestyle project.
Click OK.
Add a build step.
Scroll down to the Build section.
In the Add build step drop-down list, select Execute shell.
In the Command text box, enter the following:
echo "Creating Dockerfile..." echo "FROM ubuntu:latest" > Dockerfile echo 'CMD ["/bin/bash", "sleep 240"]' >> Dockerfile docker build --no-cache -t dev/ubun2:test .
Add a build step that scans the container images for vulnerabilities.
In the Add build step drop-down list, select Scan Twistlock Images.
Choose an action to take if the image contains packages with vulnerabilities.
Select a severity threshold (Low, Medium, High) to fail the build if a vulnerability is found. Or select Never fail, only warn to allow the complete build process to proceed even if a vulnerability is found.
Check Only fail builds when a vendor fix is available to ignore any vulnerabilities that do not have a fix. For example, if you select a threshold of High, and a package with a high severity vulnerability is found, but no fix is available in an updated package, the build will not be failed.
Choose an action to take if the image has compliance issues.
Select a severity threshold (Low, Medium, High) to configure the build to fail if a compliance issue is found. For more information about how checks are scored, see CIS benchmarks.
Select Never fail, only warn to allow the complete build process to complete even if there are compliance issues.
In the Grace period field, specify an interval (in days) from when a vulnerability is discovered until when the threshold action is enforced.
This mechanism eliminates the need for admins to temporarily whitelist a CVE and manually maintain a list of exemptions. Instead, you can automatically grant your development teams time to schedule and implement a fix.
In the Image field, select the image to scan by specifying the repository and tag. You can use pattern matching expressions.
For example, enter myimage:1.0
If the image you want to scan is created outside of this build, or if you want to scan the image every build, even if the build might not generate an new image, then click Advanced, and select Ignore image creation time. |
Add a post-build action so that image scan results can be viewed in a Jenkins dashboard.
Scroll down to Post-build Actions.
In the Add post-build action dropdown menu, select Publish Twistlock analysis results.
In the Image field, select the image to report. You can use pattern matching expressions.
For example, enter: myimage:1.0
Click Save to save your project configuration.
Click Build Now to start a build.
After the build completes, examine the results. Scan reports are available in the following locations:
Twistlock Console: Log into Console, and go to Monitor > Vulnerabilities > Jenkins Jobs.
Jenkins: Drill down into the build job, then click Vulnerabilities to see a detailed report.