Standalone scanner - Jenkins example

It is often necessary to scan the development build image and ensure it is free of critical vulnerabilities before pushing it to a registry for further testing.  This article will demonstrate the use of the standalone NeuVector scanner without the need for a full NeuVector deployment.

The scanner container will perform the scan and write the output to /var/neuvector/scan_result.json.  The downstream stage can process the scan_result.json and take appropriate action.

Jenkins Pipeline:

Requirements:

• Docker

A pipeline stage to instantiate the scanner to scan the build image.  Extending this example should include a stage to parse the scan_result.json and take appropriate action.

pipeline {
  environment {
    image = "alpine"
    tag = "3.9"
    tag_scan = "$BUILD_TAG"
    }
agent any
stages {
  stage('Build Local Image') { 
    steps {
      sh "echo 'FROM $image:$tag' > Dockerfile && docker build -t $image:$tag_scan . "
      }
    }
  stage('Check Local Image') { 
    steps {
      sh "docker images"
      }
    }
  stage('Test NV Scan Images') { 
    steps {
      //nv jenkins plugin conf
      sh "docker run -i --privileged --name neuvector.scanner -e SCANNER_REPOSITORY=$image -e SCANNER_TAG=$tag_scan -e SCANNER_ON_DEMAND=true -v /var/run/docker.sock:/var/run/docker.sock -v /var/neuvector:/var/neuvector neuvector/scanner"
      sh "docker cp neuvector.scanner:/var/neuvector/scan_result.json ."
      sh "docker rm neuvector.scanner"
      }
    }
  stage('Security Report') { 
    steps {
      archiveArtifacts artifacts: 'scan_result.json'
      cleanWs()
      }
    } 
  } 
}