Deploy Jenkins and perform image scanning with NeuVector Vulnerability Scanner plugin

This document (000020931) is provided subject to the disclaimer at the end of this document.

Resolution

The following is a walk-through on deploying Jenkins using Docker and performing image scanning with NeuVector Vulnerability Scanner plugin.

Components:

  • NeuVector Deployment
  • Docker Engine - Community
  • Jenkins
  • Neuvector Jenkins Plugin

Pre-Requisites:

There are three ways to deploy Jenkins using Docker.

1. Docker Run
docker run -p 8080:8080 -p 50000:50000 -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/bin/docker:/usr/bin/docker --name jenkins-node jenkins/jenkins:lts
2. Docker Persistent

Create a basic script (jenkins-install.sh) and execute with root privileges.

#!/bin/bash

# set folder for docker volume
path_folder="$HOME/.jenkins_home"
mkdir -p $path_folder
chown -R 1000:1000 $path_folder

# install jenkins and expose 8080 port
docker run -p 8080:8080 -p 50000:50000 -v $path_folder:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/bin/docker:/usr/bin/docker -d --name jenkins-node jenkins/jenkins:lts

# show endpoint
echo 'Jenkins installed'
echo "You should now be able to access jenkins at: http://$(curl -s ifconfig.co):8080"

#show initial password
jenkins_pass=$(docker exec -it jenkins-node cat /var/jenkins_home/secrets/initialAdminPassword)
echo "Your Initial Admin Password is: $jenkins_pass"
3. Docker-Compose
version: '3.5'
services:
  jenkins-node:
    image: jenkins/jenkins:lts
    container_name: jenkins-node
    privileged: true
  ports:
    - 8080:8080
    - 50000:50000
  volumes:
    - ~/.jenkins_home:/var/jenkins_home
    - /usr/bin/docker:/usr/bin/docker
    - /var/run/docker.sock:/var/run/docker.sock:ro

The Jenkins UI should be accessible from http://<docker_host>:8080/.

jenkinsui.png

  • Select "install suggested plugins"
gettingstarted.png
  • Create admin user
admin.png
  • Search and install Neuvector Vulnerability Scanner Plugin from Dashboard > Manage Jenkins > Manage Plugins > Available
plugin.png
  • Configure the plugin in Dashboard > Manage Jenkins > Configure System > NeuVector Vulnerability Scanner
pluginconfig.png
  • Registry setting is optional for local scan
registry.png
  • Create Pipeline from Dashboard > New Item > Pipeline
pipeline.png
  • Select and configure the new pipeline.  Add a NeuVector Scan stage into the pipeline.  See below on using the Pipeline Syntax to generate the scan stage script.
pipeline {
  environment {
    image = "library/alpine"
    tag = "3.9"
    }
agent any
stages {
  stage('Test NV Scan Images') { 
    steps {
      //nv jenkins plugin conf
      neuvector nameOfVulnerabilityToExemptFour: '',
      nameOfVulnerabilityToExemptOne: '', 
      nameOfVulnerabilityToExemptThree: '', 
      nameOfVulnerabilityToExemptTwo: '', 
      nameOfVulnerabilityToFailFour: '', 
      nameOfVulnerabilityToFailOne: '', 
      nameOfVulnerabilityToFailThree: '', 
      nameOfVulnerabilityToFailTwo: '', 
      numberOfHighSeverityToFail: '1', 
      numberOfMediumSeverityToFail: '3', 
      registrySelection: 'docker', 
      repository: "${env.image}", 
      scanLayers: true,
      tag: "${env.tag}"
      }
    }
  } 
}

(Optional) Click on the "Pipeline Syntax" and choose the "neuvector: NeuVector Vulnerability Scanner" Sample Step.

optional.png
 

Paste the generated code inside the steps braces for the 'Test NV Scan Images' stage.  In the following example, the repository and tag are replaced by a global variables defined under the environment section.



pastepipeline.png
 

Run the job and review the artifact file generated by Neuvector Plugin with the analysis report.

run.png

 

Note: If we want to scan images using the digest hash, replace the tag value with the specific sha256 digest.

Registry scan results are available from the NeuVector WebUI under Notifications.

results1.png
results2.png
 

Note: For Kubernetes clusters, admission control rules will apply for these registry image scan results.

Example 2: Local Image Scan

Create a new project with the following Build settings.  The registry value is Local.  The docker command relies on the volume mounts from the Jenkins container initialization (see above).

NOTE: For a local scan to work the scanner must be running along side Jenkins on the same host.
local1.png
Output:

Started by user neuvector 
Running as SYSTEM 
Building in workspace /var/jenkins_home/workspace/local-project 
[local-project] $ /bin/sh -xe /tmp/jenkins9163991300572293348.sh 
+ echo FROM alpine:2.7 
+ docker build -t alpine:jenkins-local-project-4 . 
Sending build context to Docker daemon 2.048kB 

Step 1/1 : FROM alpine:2.7
 ---> 93f518ec2c41 
Successfully built 93f518ec2c41 
Successfully tagged alpine:jenkins-local-project-4 
Build user not found. 

************************************************************* 
Scanner Source Name: NeuVector Scanner on Jenkins 
Build User: 
Job Name: local-project Workspace: /var/jenkins_home/workspace/local-project 
Local case. 
Repository: alpine 
Tag: jenkins-local-project-4 
************************ Scan Report ************************ 
Repository: library/alpine 
Tag: jenkins-local-project-4 

********************** Vulnerabilities **********************
...

 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020931
  • Creation Date: 17-Jan-2023
  • Modified Date:18-Jan-2023
    • SUSE NeuVector

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center