This blog highlights one of the ways in which Anchore plugin can be integrated in a Jenkins Pipeline. The example is based on a simple Node application in a Docker container. A Jenkinsfile defines the Pipeline project used for building the Docker image with the application and running tests (this can be the CI process that triggers off of commits to a code repository). This example introduces Anchore scanning as one of the stages in the Jenkinsfile. The Analyze stage uses the Anchore plugin to submit the Docker image to an Anchore Engine installation for analysis. The analysis and resulting policy evaluation determine the overall status of the Jenkins build which in turn may be helpful in the decision making process in subsequent steps (such as promote build for deployment if the build passes or fix the issues and retry if the build fails). All the code used for this example can be found here on GitHub.
Let’s get started
Before going any further, make sure that you have access to an Anchore Engine installation.
Installation
If you have a Jenkins instance with Blue Ocean, Pipeline, Docker and Anchore Container Image Scanner plugins installed skip to Setup Pipeline Project. Otherwise, continue reading
Install and Configure Jenkins
This example runs Jenkins in a Docker container. It employs jenkinsci/blueocean
Docker image since the image contains the current LTS release of Jenkins along with most of the required plugins (Blue Ocean, Pipeline and Docker). Docker must be installed on your operating system before you can start using it. For more information about prerequisites and installation options refer to the official docs on Jenkins.
$ docker run -u root -d --name jenkins -p 8080:8080 -p 50000:50000 -v /var/run/docker.sock:/var/run/docker.sock -v jenkins-data:/var/jenkins_home jenkinsci/blueocean
Follow the steps in https://jenkins.io/doc/book/installing/#setup-wizard to access the Jenkins instance and complete the setup
Install Anchore Container Image Scanner Plugin
Go to Manage Jenkins->Plugin Manager->available tab, search and select Anchore Container Image Scanner, click Download now and install after restart.
Select Restart checkbox to restart Jenkins instance and activate the plugin
Setup Pipeline Project
This section assumes that you have a Jenkins instance running with Blue Ocean, Pipeline, Docker and Anchore Container Image Scanner plugins installed
Login to the Jenkins classic UI and access the Blue Ocean UI by clicking Open Blue Ocean on the left
If your Jenkins instance is new or has no Pipeline projects, then Blue Ocean UI displays a Welcome to Jenkins box with a Create a new Pipeline button. Click the button to start the Pipeline project. If the Blue Ocean UI displays a dashboard view with existing Pipeline projects, click the New Pipeline button on the top right corner.
Select Git from the list of code repositories and enter “https://github.com/nightfurys/anchore-jenkins-example” for the Repository URL. Credentials are optional. Click Create Pipeline
Note: The Pipeline project can also be configured to scan and poll a GitHub repository for commits. For instructions, refer to Jenkins.
This should start up a new job that immediately transitions to a paused state
The Pipeline pauses and waits for interactive input, click anywhere on the paused row to navigate to the Configure stage of the Pipeline
To provide the configuration, click Resolve Input and enter the requested input. Enter the details for the Docker registry and repository of your choice for staging the images. Create the credentials to the Docker registry and Anchore Engine. Click Proceed
The Blue Ocean UI displays stages that have completed and the current stage in progress. While waiting on analysis to complete, you can click the dropdown button adjacent to the step to expand details
In this example, the Analyze stage uses Anchore plugin for scanning the Docker container image. At the time of analyzing this Docker image, Anchore Engine issued a policy evaluation report with a “fail” end result due to the policy in play (which contains a rule that triggers upon finding high severity CVEs in the Docker container image). As a result, Anchore plugin fails the Jenkins build indicated by the Blue Ocean interface turning red
Follow Up
Policy bundles must be created/managed in Anchore Engine, independent of Jenkins.
Anchore plugin is configurable and allows the user to supply a Policy Bundle ID to be used by Anchore Engine on policy evaluations. The plugin can also be configured to not fail the Jenkins build on policy evaluation failure if necessary. Pipeline Syntax/Snippet Generator tool is a good way to explore plugin options and tune them according to your requirements
Anchore plugin generates reports that are accessible only from the classic Jenkins UI. Exit the Blue Ocean view by clicking the Go to classic icon at the top right corner
Navigate to the build page in the classic UI and look for the Anchore Report icon. Clicking the link should display the Anchore report with Policy and Security tabs
Policy Evaluation Summary and Report
Vulnerabilities List
Conclusion
You’ve just used Anchore Container Image Scanner plugin in a stage defined in the Jenkinsfile. The Pipeline project defined by this Jenkinsfile builds the Docker image with the application and scans the image using Anchore plugin
Jenkinsfile for this Pipeline project along with the Node application is on GitHub. You can try out this example as it is without forking the repository. If you are interested in tailoring this example to your use cases such as replace the Node application with your own, use predefined configuration instead of interactive input or other customizations, fork the repository and edit the Jenkinsfile and other application code
Add security and compliance to your CICD container pipeline in minutes with the Anchore Plugin for Jenkins