Skip to content
Jenkins plugin that requests image scans from Smart Check.
Java
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.settings Initial Jenkins plugin implementation Apr 3, 2019
.vscode
gradle/wrapper
src
.classpath
.gitattributes
.gitignore Initial Jenkins plugin implementation Apr 3, 2019
.project Initial Jenkins plugin implementation Apr 3, 2019
DEVELOPMENT.md
Jenkinsfile
LICENSE
README.md
build.gradle 1.1.2 May 14, 2019
gradle.properties
gradlew
gradlew.bat
settings.gradle Initial Jenkins plugin implementation Apr 3, 2019

README.md

Deep Security Smart Check plugin for Jenkins

Provides Jenkins integration with Deep Security Smart Check

Installation

  1. In Jenkins, go to Manage Jenkins > Manage Plugins
  2. Select the "Available" tab
  3. Search for "Deep Security Smart Check"

Usage

In your pipeline script:

withCredentials([
    usernamePassword([
        credentialsId: "example-registry-auth",
        usernameVariable: "REGISTRY_USER",
        passwordVariable: "REGISTRY_PASSWORD",
    ])
]){
    smartcheckScan([
        imageName: "registry.example.com/my-project/my-image",
        smartcheckHost: "smartcheck.example.com",
        smartcheckCredentialsId: "smartcheck-auth",
        imagePullAuth: new groovy.json.JsonBuilder([
            username: REGISTRY_USER,
            password: REGISTRY_PASSWORD,
        ]).toString(),
    ])
}

Parameters

  • smartcheckHost

    • The hostname of the Deep Security Smart Check deployment. Example: smartcheck.example.com
  • insecureSkipTLSVerify

    • If the client should ignore certificate errors when connecting to Deep Security Smart Check. You may want to set this if you've configured a self signed cert.
  • smartcheckCredentialsId

    • The credentials to authenticate with the Deep Security Smart Check deployment. This must be a "Username with password" credential.
  • imageName

    • The name of the image to scan
  • imagePullAuth

    • A JSON object of credentials for authenticating with the registry to pull the image from. Example:

      smartcheckScan([
          imagePullAuth: new groovy.json.JsonBuilder([
              username: REGISTRY_USER,
              password: REGISTRY_PASSWORD,
          ]).toString(),
          //...
      ])

      See creating a scan in the Deep Security Smart Check API Reference for additional registry credentials options.

  • insecureSkipRegistryTLSVerify

    • If Deep Security Smart Check should ignore certificate errors from the image registry.
  • preregistryScan

    • Specify this option to trigger a "pre-registry scan", which pushes the image to a temporary registry on the scan system.
  • preregistryHost

    • The hostname of the temporary registry. Defaults to the smartcheckHost on port 5000.
  • preregistryCredentialsId

    • The credentials to authenticate with the temporary registry. This must be a "Username with password" credential.
  • resultsFile - default: scan-results.json

    • The path to write the scan results to
  • findingsThreshold

    • A JSON object that can be used to fail this step if an image contains findings that exceed the threshold.

      Example with default values:

      smartcheckScan([
          //...
          findingsThreshold: new groovy.json.JsonBuilder([
              malware: 0,
              vulnerabilities: [
                  defcon1: 0,
                  critical: 0,
                  high: 0,
              ],
              contents: [
                  defcon1: 0,
                  critical: 0,
                  high: 0,
              ],
              checklists: [
                  defcon1: 0,
                  critical: 0,
                  high: 0,
              ],
          ]).toString(),
      ])

      Schema:

      interface FindingsThreshold {
        malware?: number;
        contents?: {
          defcon1?: number;
          critical?: number;
          high?: number;
          medium?: number;
          low?: number;
          negligible?: number;
          unknown?: number;
        };
        vulnerabilities?: {
          defcon1?: number;
          critical?: number;
          high?: number;
          medium?: number;
          low?: number;
          negligible?: number;
          unknown?: number;
        };
        checklists?: {
          defcon1?: number;
          critical?: number;
          high?: number;
          medium?: number;
          low?: number;
          negligible?: number;
          unknown?: number;
        };
      }

Pre-registry scanning

Deep Security Smart Check can scan your images before they are pushed to your production registry. If you have enabled pre-registry scanning on your Deep Security Smart Check instance, you can add the preregistryScan and preregistryCredentialsId parameters to the smartcheckScan method:

smartcheckScan([
    imageName: "registry.example.com/my-project/my-image",
    smartcheckHost: "smartcheck.example.com",
    smartcheckCredentialsId: "smartcheck-auth",
    preregistryScan: true,
    preregistryCredentialsId: "preregistry-auth",
])

Development

See DEVELOPMENT.md for instructions on getting started.

Contributing

If you encounter a bug, think of a useful feature, or find something confusing in the docs, please create a new issue!

We ❤️ pull requests. If you'd like to fix a bug, contribute to a feature or just correct a typo, please feel free to do so.

If you're thinking of adding a new feature, consider opening an issue first to discuss it to ensure it aligns to the direction of the project (and potentially save yourself some time!).

Support

Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.

You can’t perform that action at this time.