Case Studies

Blog Post

Docker scanning for Jenkins CI/CD security with the Sysdig Secure plugin.

In this blog post we’ll cover how to implement Docker Scanning for Jenkins with the Sysdig Secure Jenkins plugin. The plugin can be used in both freestyle and pipeline jobs to scan images and fail the build if the image fails a policy evaluation.

The deployment model of containers has made it incredibly easy for organizations to adopt continuous delivery processes. However, all the efficiencies gained in packaging and building applications can’t be realized if the end result is unstable and insecure software. By prioritizing CI/CD security organizations can proactively address risk in applications before they are deployed in production, or even pushed into a registry.

Fail Fast: The Benefits of CI/CD Security

It’s always easier to fix issues when they’re not in production. By integrating Sysdig Secure with your CI/CD pipeline with Jenkins or any other tool a step is added to evaluate Docker images for security, compliance, and reliability before deploying images to production.

Here are a couple examples of things we’ve seen organizations want to know about images before they’re deployed into production.

Security

  • Does the image have critical vulnerabilities with a fix?
  • Are there secrets or credentials exposed in the image?
  • Does this image have exposed ports that I’ve blacklisted?
  • Compliance

  • What license types is the image using?
  • Is this image built on an distribution our organization doesn’t use?
  • Reliability

  • Does my image have health checks?
  • Are my developers building large images that can impact our infrastructure?
  • Are my developers using an unofficial version of Ruby, Node, Java, or Python packages?
  • Scanning Docker Images built with  Jenkins

    There’s a couple prerequisites to cover before scanning Docker images built within Jenkins.

  • Have a SaaS or On-prem installation of Sysdig Secure
  • Install the Sysdig Secure Jenkins Plugin
  • Configure the plugin to integrate with Sysdig Secure (shown below)
  • Creating Docker Image Scanning Policies for Jenkins in Sysdig Secure

    Once Sysdig Secure and Jenkins are integrated, it’s time to set up a policy to be used by the Jenkins plugin. Note: This is not required and the plugin will use the default policy within Sysdig Secure if a custom policy is not configured.

    Navigate to the Scanning Policies page within Sysdig Secure and click on Add Policy to get started. You can easily configure rules to map to the security, compliance, and reliability uses cases we provided above plus many more.

    The last step of creating a rule is to assign an action of Warn or *Stop***. **The *Stop* action can be used to fail a build and prevent the image from moving into production.

    Scanning Docker Images as part of the CI/CD Pipeline with Jenkins

    Once you’ve set up a policy it’s time to integrate that policy evaluation into an existing build process within Jenkins. Full documentation can be seen in the Sysdig Secure Jenkins Plugin documentation.

    First, add the additional build step *Sysdig Secure Container Image Scanner***:

    **

    Then you’ll have options to define which policy you’d like this job to reference and whether or not to fail a build based on a policy failed policy evaluation (if there are any stop actions).

    Reporting on Docker Image Risk and Compliance within Jenkins

    After the next build an additional Sysdig Secure Report artifact will now be available in Jenkins.

    By clicking into the Sysdig Secure Report you’ll get an summary of the policy evaluation broken down by the different stop or warn actions that were generated from the policy.

    To dive further into a report about the specific vulnerabilities of an image click on the Security tab and a page specific to vulnerabilities will open.

    Tying it all together

    All this data is also sent to the Sysdig Secure UI where you can get further details about the image, OS package information, configuration files, discovered vulnerabilities and any possible leaked secrets or credentials, and a view into if & where this image is currently running in your environment.
    CI/CD Security

    Also it’s worth noting that everything you see here can also be accomplished directly via the API. So if you’re using other CI/CD tools besides Jenkins we’ll easily integrate with those as well.

    If you’d like to learn more about how Sysdig Secure can integrate with your CI/CD to help manage risk, compliance, and reliability check out this How to manage vulnerabilities in container environments online session.




    Eager to learn more? Join our webinar Secure Kubernetes with GKE + Falco

    Platforms such as Kubernetes make it easy to provide development teams access to the infrastructure resources they need to run their applications in a Cloud Native and scalable fashion. But what happens after your initial platform deployment and how can you provide a secure platform for development teams?

    In this webinar we’ll cover how to get started using Google Cloud’s managed Kubernetes offering, Google Kubernetes Engine. We’ll deploy a GKE cluster then show how to secure it using Sysdig’s open source project for intrusion and abnormality detect, Falco. We’ll cover the common concerns around security on Cloud Native platforms, and show how Falco provides the additional layer of security for the container runtime environment. Finally, we’ll show how to integrate Falco with Google Cloud Security Console to provide a consolidated view of security across your entire Google Cloud infrastructure.

    Register now!

    Share This

    Stay up to date

    Sign up to recieve our newest.