jenkinsci / aqua-microscanner-plugin Goto Github PK

View Code? Open in Web Editor NEW

35.0 7.0 21.0 363 KB

Enables scanning of docker builds in Jenkins for OS package vulnerabilities.

Home Page: https://plugins.jenkins.io/aqua-microscanner/

License: Apache License 2.0

Java 97.91% HTML 2.09%

vulnerability-scanner jenkins

aqua-microscanner-plugin's Introduction

Aqua Jenkins MicroScanner Plugin

Enables scanning of docker builds in Jenkins for OS package vulnerabilities.

Prerequisites for the plugin to be operational

Docker must be installed on the same machine Jenkins is installed. If your job is configured to use a node other than Master node, then Docker is required only on the build Jenkins node (slave).
The jenkins user must be added to the docker group so it has permission to run Docker:
```
sudo usermod -aG docker jenkins
```

Install and configure the plugin

In Jenkins, select Manage Jenkins and then select Manage Plugins from the list. Make sure that the list of available plugins is up to date.
Select the Available tab, search for Aqua MicroScanner, and select it. Click on Download the Plugin. This will install the plugin.

Follow the instructions here to obtain a token to use the microscanner.
In Jenkins, select Manage Jenkins, then select Configure System. Enter the token value.

Use the plugin

You can use the MicroScanner plugin in the build process in Freestyle and Pipelines jobs. You can configure the job to scan the image during the build process.

Freestyle jobs

In Freestyle jobs add a build step to scan the image with the Aqua MicroScanner, as part of the job configuration.

In Jenkins, in the Configure page for a job, click Add Build Step.
Select Aqua MicroScanner.

Select the action to be taken when high severity vulnerabilities are found in the build. You can optionally include a shell command.
Enter the image name.

Pipeline jobs

In Pipeline jobs, the build step to scan the image with the MicroScanner is included in a pipeline script, as part of the job configuration.

In Jenkins, in the **Configure **page for a job, scroll to the **Pipeline **section.
Add the a snippet such as the following to the pipeline script, to include a step to scan the image.

3. Alternatively, you can use the Snippet Generator to create the snippet.

Plugin Output

You can see the results of the scan in the Console Output.

You can also see results of the scan as an HTML page. An artifact named "scanout.html" will be created in the project's workspace. In the Jenkins build menu, select Aqua MicroScanner, and then select the job whose results you wish to see.

Build the plugin (instructions for Ubuntu)

If JDK 7 is not installed, install it

     sudo apt-get update
     sudo apt-get install openjdk-7-jdk

Install Maven3 (must be 3)
Build

When in the root directory, where pom.xml resides:

     mvn package

Note: the first time this command is invoked, many downloads will occur and it will take quite some time.

Install manually

Copy the target/aqua-docker-scanner.hpi file to $JENKINS/plugins/ where JENKINS is the Jenkins root directory, by default it is /var/lib/jenkins/.

Restart Jenkins:

     sudo /etc/init.d/jenkins restart

Publicly release a new version to jenkins-ci.org

See https://wiki.jenkins-ci.org/display/JENKINS/Hosting+Plugins#HostingPlugins-Releasingtojenkinsci.org. It describes several alternatives; use the following:

If not already done, create a settings.xml file with your credentials as described
Execute and accept defaults for prompts :

    mvn release:prepare release:perform

aqua-microscanner-plugin's People

Contributors

Stargazers

Watchers

aqua-microscanner-plugin's Issues

Jenkins is not passing in token into the plugin

Describe the bug
I have installed version 1.0.6 of Aqua microscanner in our instance of jenkins and have defined the token value in Configure System -> Aqua MicroScanner. However it does not appear to be passing in the token as we are getting the following error in the jenkins logs;

Aqua MicroScanner in progress...
The command '/bin/sh -c ./microscanner ${token} --html' returned a non-zero code: 1
...
ERROR: failed fetching server information: request failed: Get https://microscanner.aquasec.com/api: EOF

To Reproduce
Steps to reproduce the behavior:

Generate a new token; docker run --rm -it aquasec/microscanner --register
Install Aqua MicroScaner plugin version 1.0.6
Define new token in Configure System -> Aqua MicroScanner.
Execute Aqua scan via JenkinsFile command; aquaMicroscanner imageName: image_name, notCompliesCmd: '', onDisallowed: 'ignore', outputFormat: 'html' where imageName is defined inside our jenkinsfile
Execute build in Jenkins

Expected behavior
Aqua scan is completed in image, and a html report is generated

How to Acknowledge a Specific Vulnerability

I want to acknowledge CVE-2018-15664 ( as it's presently a zero-day ) and only can continue the Jenkins build. What is the recommended way to do so? I haven't located the correct documentation describing the procedure.

How to setup aqua-microscanner-plugin to work with GitHub Organization pipeline?

Describe the solution you'd like
Hi, Team,
How to setup aqua-microscanner-plugin to work with GitHub Organization pipeline?

Thanks!

Adding unit testing

./microscanner: Text file busy issue

Describe the bug
I keep getting non-zero code: 2 error when running scan with the micro-scanner plugin.

To Reproduce
Steps to reproduce the behavior:

Install the plugin.
Run it as a pipeline per the example.
In Console output, see:

[Pipeline] aquaMicroscanner
Aqua MicroScanner in progress...
The command '/bin/sh -c chmod +x microscanner && ./microscanner ${token} --html --continue-on-failure --no-verify' returned a non-zero code: 2
Archiving artifacts
Archiving artifacts
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: Scanning failed.
Finished: FAILURE`

scanout.html shows:

Sending build context to Docker daemon 16.38 kB
Step 1/5 : FROM alpine:latest
---> caf27325b298
Step 2/5 : ADD https://get.aquasec.com/microscanner .
---> 39dc268a1695
Removing intermediate container 2f81a400e12b
Step 3/5 : USER 0
---> Running in df4b0815691f
---> c1d9656a589c
Removing intermediate container df4b0815691f
Step 4/5 : ARG token
---> Running in c6f8e603e015
---> aa20b1314490
Removing intermediate container c6f8e603e015
Step 5/5 : RUN chmod +x microscanner && ./microscanner ${token} --html --continue-on-failure --no-verify
---> Running in 4052b616a67d
�[91m/bin/sh: ./microscanner: Text file busy
�[0m

See error

Expected behavior
Should have no error and see the report html.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context

Note: I googled and found this solution:
lukebond/microscanner-wrapper#7

Need this same fix?
stafot/microscanner-wrapper@33ea38c

Passing through parameters into image name

I would like to be able to be able to use parameters in the build step so that I can create a single job to scan images and pass down the image name as a parameter
like so

Declarative configuration

Is your feature request related to a problem? Please describe.

I would like to configure Jenkins instances in a declarative way, e.g., by writing Groovy code or by using the Jenkins Configuration as Code (JCasC) plugin and a YAML file.

Describe the solution you'd like

Provide some examples if this is already possible, or implement this as suggested by the JCasC project

Can't register for a token

Hi,
Is the token still open for register? I tried both requesting the token from the website and running the docker per instruction but wasn't able to get the token after waiting more than 12 hours.

Microscanner not cleaning up after itself.

Describe the bug
Leaving tons of containers in stopped state behind the scenes
To Reproduce
Run aqua micrscanner jenkins plugin, then run docker ps -a on the host

Expected behavior
Clean it self up when complete
Screenshots