Deploy Jenkins and perform image scanning with NeuVector Vulnerability Scanner plugin

The following is a walk-through on deploying Jenkins using Docker and performing image scanning with NeuVector Vulnerability Scanner plugin.

Components:

• NeuVector Deployment
• Docker Engine - Community
• Jenkins
• Neuvector Jenkins Plugin

Pre-Requisites:

• The NeuVector Controller REST API port exposed
  • How to expose NV REST API
• Docker installed

There are three ways to deploy Jenkins using Docker.

docker run -p 8080:8080 -p 50000:50000 -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/bin/docker:/usr/bin/docker --name jenkins-node jenkins/jenkins:lts

Create a basic script (jenkins-install.sh) and execute with root privileges.

#!/bin/bash

# set folder for docker volume
path_folder="$HOME/.jenkins_home"
mkdir -p $path_folder
chown -R 1000:1000 $path_folder

# install jenkins and expose 8080 port
docker run -p 8080:8080 -p 50000:50000 -v $path_folder:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock:ro -v /usr/bin/docker:/usr/bin/docker -d --name jenkins-node jenkins/jenkins:lts

# show endpoint
echo 'Jenkins installed'
echo "You should now be able to access jenkins at: http://$(curl -s ifconfig.co):8080"

#show initial password
jenkins_pass=$(docker exec -it jenkins-node cat /var/jenkins_home/secrets/initialAdminPassword)
echo "Your Initial Admin Password is: $jenkins_pass"

3. Docker-Compose

version: '3.5'
services:
  jenkins-node:
    image: jenkins/jenkins:lts
    container_name: jenkins-node
    privileged: true
  ports:
    - 8080:8080
    - 50000:50000
  volumes:
    - ~/.jenkins_home:/var/jenkins_home
    - /usr/bin/docker:/usr/bin/docker
    - /var/run/docker.sock:/var/run/docker.sock:ro

The Jenkins UI should be accessible from http://<docker_host>:8080/.

• Select "install suggested plugins"
• Create admin user
• Search and install Neuvector Vulnerability Scanner Plugin from Dashboard > Manage Jenkins > Manage plugins > Available
• Configure the plugin in Dashboard > Manage Jenkins > Configure System > NeuVector Vulnerability Scanner
  • REST API port exposed by default on 10443
• Registry setting is optional for local scan
• Create Pipeline from Dashboard > New Item > Pipeline
• Select and configure the new pipeline.  Add a NeuVector Scan stage into the pipeline.  See below on using the Pipeline Syntax to generate the scan stage script.

pipeline {
  environment {
    image = "library/alpine"
    tag = "3.9"
    }
agent any
stages {
  stage('Test NV Scan Images') { 
    steps {
      //nv jenkins plugin conf
      neuvector nameOfVulnerabilityToExemptFour: '',
      nameOfVulnerabilityToExemptOne: '', 
      nameOfVulnerabilityToExemptThree: '', 
      nameOfVulnerabilityToExemptTwo: '', 
      nameOfVulnerabilityToFailFour: '', 
      nameOfVulnerabilityToFailOne: '', 
      nameOfVulnerabilityToFailThree: '', 
      nameOfVulnerabilityToFailTwo: '', 
      numberOfHighSeverityToFail: '1', 
      numberOfMediumSeverityToFail: '3', 
      registrySelection: 'docker', 
      repository: "${env.image}", 
      scanLayers: true,
      tag: "${env.tag}"
      }
    }
  } 
}

(Optional) Click on the "Pipeline Syntax" and choose the "neuvector: NeuVector Vulnerability Scanner" Sample Step.

Paste the generated code inside the steps braces for the 'Test NV Scan Images' stage.  In the following example, the repository and tag are replaced by a global variables defined under the environment section.
 

Run the job and review the artifact file generated by Neuvector Plugin with the analysis report.

Note: If we want to scan images using the digest hash, replace the tag value with the specific sha256 digest.

Registry scan results are available from the NeuVector WebUI under Notifications.
 

Note: For Kubernetes clusters, admission control rules will apply for these registry image scan results.

Local Image Scan

Create a new project with the following Build settings.  The registry value is Local.  The docker command relies on the volume mounts from the Jenkins container initialization (see above).

NOTE: For a local scan to work the scanner must be running along side Jenkins on the same host.

Output:​​​​​​

Started by user neuvector
Running as SYSTEM
Building in workspace /var/jenkins_home/workspace/local-project
[local-project] $ /bin/sh -xe /tmp/jenkins9163991300572293348.sh
+ echo FROM alpine:2.7
+ docker build -t alpine:jenkins-local-project-4 .
Sending build context to Docker daemon 2.048kB

Step 1/1 : FROM alpine:2.7
---> 93f518ec2c41
Successfully built 93f518ec2c41
Successfully tagged alpine:jenkins-local-project-4
Build user not found.

*************************************************************
Scanner Source Name: NeuVector Scanner on Jenkins
Build User:
Job Name: local-project Workspace: /var/jenkins_home/workspace/local-project
Local case.
Repository: alpine
Tag: jenkins-local-project-4
************************ Scan Report ************************
Repository: library/alpine
Tag: jenkins-local-project-4

********************** Vulnerabilities **********************
...