preloder

Integrating Anchore Scanning into Jenkins Pipeline via Jenkinsfile

by | Jul 30, 2018

This blog highlights one of the ways in which Anchore plugin can be integrated in a Jenkins Pipeline. The example is based on a simple Node application in a Docker container. A Jenkinsfile defines the Pipeline project used for building the Docker image with the application and running tests (this can be the CI process that triggers off of commits to a code repository). This example introduces Anchore scanning as one of the stages in the Jenkinsfile. The Analyze stage uses Anchore plugin to submit the Docker image to an Anchore Engine installation for analysis. The analysis and resulting policy evaluation determine the overall status of the Jenkins build which in turn may be helpful in the decision making process in subsequent steps (such as promote build for deployment if the build passes or fix the issues and retry if the build fails). All the code used for this example is in  https://github.com/nightfurys/anchore-jenkins-example

Let’s get started

Before going any further, make sure that you have access to an Anchore Engine installation. For instructions installing Anchore Engine refer to  https://anchore.freshdesk.com/support/solutions/36000112471

Installation

If you have a Jenkins instance with Blue Ocean, Pipeline, Docker and Anchore Container Image Scanner plugins installed skip to Setup Pipeline Project. Otherwise, continue reading

Install and Configure Jenkins

This example runs Jenkins in a Docker container. It employs jenkinsci/blueocean Docker image since the image contains current LTS release of Jenkins along with most of the required plugins (Blue Ocean, Pipeline and Docker). Docker must be installed on your operating system before you can start using it. For more information about prerequisites and installation options refer to the official docs at https://jenkins.io/doc/book/installing/#docker

$ docker run -u root -d --name jenkins -p 8080:8080 -p 50000:50000 -v /var/run/docker.sock:/var/run/docker.sock -v jenkins-data:/var/jenkins_home jenkinsci/blueocean

Follow the steps in https://jenkins.io/doc/book/installing/#setup-wizard to access the Jenkins instance and complete the setup

Install Anchore Container Image Scanner plugin

Go to Manage Jenkins->Plugin Manager->available tab, search and select Anchore Container Image Scanner, click Download now and install after restart.

Select Restart checkbox to restart Jenkins instance and activate the plugin

Setup Pipeline Project

This section assumes that you have a Jenkins instance running with Blue Ocean, Pipeline, Docker and Anchore Container Image Scanner plugins installed

Login to the Jenkins classic UI and access the Blue Ocean UI by clicking Open Blue Ocean on the left

If your Jenkins instance is new or has no Pipeline projects, then Blue Ocean UI displays a Welcome to Jenkins box with a Create a new Pipeline button. Click the button to start the Pipeline project. If the Blue Ocean UI displays a dashboard view with existing Pipeline projects, click the New Pipeline button on the top right corner.

Select Git from the list of code repositories and enter “https://github.com/nightfurys/anchore-jenkins-example” for the Repository URL. Credentials are optional. Click Create Pipeline

Note: The Pipeline project can also be configured to scan and poll a GitHub repository for commits. For instructions, refer to https://jenkins.io/doc/book/blueocean/creating-pipelines/#for-a-repository-on-github

This should startup a new job that immediately transitions to a paused state

The Pipeline pauses and waits for interactive input, click anywhere on the paused row to navigate to the Configure stage of the Pipeline

To provide the configuration, click Resolve Input and enter the requested input. Enter the details for the Docker registry and repository of your choice for staging the images. Create the credentials to the Docker registry and Anchore Engine. Click Proceed

The Blue Ocean UI displays stages that have completed and the current stage in progress. While waiting on analysis to complete, you can click the dropdown button adjacent to the step to expand details

In this example, Analyze stage uses Anchore plugin for scanning the Docker container image. At the time of analyzing this Docker image, Anchore Engine issued a policy evaluation report with “fail” end result due to the policy in play (which contains a rule that triggers upon finding high severity CVEs in the Docker container image). As a result, Anchore plugin fails the Jenkins build indicated by the Blue Ocean interface turning red

Follow Up

Policy bundles must be created/managed in Anchore Engine, independent of Jenkins. For help with policy bundles refer to https://anchore.freshdesk.com/support/solutions/folders/36000173064

Anchore plugin is configurable and allows the user to supply a Policy Bundle ID to be used by Anchore Engine on policy evaluations. The plugin can also be configured to not fail the Jenkins build on policy evaluation failure if necessary. Pipeline Syntax/Snippet Generator tool is a good way to explore plugin options and tune them according to your requirements

Anchore plugin generates reports that are accessible only from the classic Jenkins UI. Exit the Blue Ocean view by clicking the Go to classic icon at the top right corner

Navigate to the build page in the classic UI and look for Anchore Report icon. Clicking the link should display the Anchore report with Policy and Security tabs

Policy Evaluation Summary and Report

Vulnerabilities List

Conclusion

You’ve just used Anchore Container Image Scanner plugin in a stage defined in the Jenkinsfile. The Pipeline project defined by this Jenkinsfile builds the Docker image with the application and scans the image using Anchore plugin

Jenkinsfile for this Pipeline project along with the Node application is on GitHub  https://github.com/nightfurys/anchore-jenkins-example. You can try out this example as it is without forking the repository. If you are interested in tailoring this example to your use case such as replace the Node application with your own, use predefined configuration instead of interactive input or other customizations, fork the repository and edit the Jenkinsfile and other application code

Download the Anchore Jenkins Plugin Today

Add security and compliance to your CICD container pipeline in minutes with the Anchore Plugin for Jenkins