This repository contains working examples of Jenkins pipeline scripts to illustrate scanning with the ReversingLabs Spectra Assure Portal.
ReversingLabs Spectra Assure Portal is capable of scanning nearly any type of software artifact or package that results from a build.
In this example, we're using the source code and Maven build instructions for the Struts2 showcase web app, which came with Apache Struts v2.5.28.
The following examples are provided in this repository:
- Jenkinsfile
This pipeline script builds the WAR file and scans it using the ReversingLabs rl-scanner-cloud Docker image.
After the file is scanned, analysis reports in JSON, CycloneDX, and SPDX formats are published as a build artifact.
The script requires that you create the RLPORTAL_ACCESS_TOKEN
secret credential within Jenkins to store your Portal access token.
Supported parameters
Name | Required | Type | Description |
---|---|---|---|
RLPORTAL_ACCESS_TOKEN |
Yes | string | A Personal Access Token for authenticating requests to the Spectra Assure Portal. Before you can use this example, you must create the token in your Portal settings. Tokens can expire and be revoked, in which case you'll have to update this value. |
RLPORTAL_SERVER |
Yes | string | Name of the Spectra Assure Portal instance to use for the scan. The Portal instance name usually matches the subdirectory of my.secure.software in your Portal URL. For example, if your portal URL is my.secure.software/demo , the instance name to use with this parameter is demo . |
RLPORTAL_ORG |
Yes | string | Name of the Spectra Assure Portal organization to use for the scan. The organization must exist on the Portal instance specified with RLPORTAL_SERVER . The user account authenticated with the token must be a member of the specified organization and have the appropriate permissions to upload and scan a file. Organization names are case-sensitive. |
RLPORTAL_GROUP |
Yes | string | Name of the Spectra Assure Portal group to use for the scan. The group must exist in the Portal organization specified with RLPORTAL_ORG . Group names are case-sensitive. |
ARTIFACT2SCAN |
Yes | string | The artifact (file) you want to scan. The file must be in any of the formats supported by Spectra Assure. |
The scan in this example will produce the FAIL
CI status.
The pipeline will fail, as the scanner detects 4 critical issues: Found 4 vulnerabilities matching selected criteria.
- The official Spectra Assure Portal documentation
- The official
reversinglabs/rl-scanner-cloud
Docker image on Docker Hub