diff --git a/jenkins/new-scan-engine/Jenkinsfile-jenkins-plugin b/jenkins/new-scan-engine/Jenkinsfile-jenkins-plugin index 6f337a4..198d902 100644 --- a/jenkins/new-scan-engine/Jenkinsfile-jenkins-plugin +++ b/jenkins/new-scan-engine/Jenkinsfile-jenkins-plugin @@ -3,6 +3,7 @@ pipeline { image = "docker.io/myawesomecompany/myawesomeimage" + ":$BUILD_NUMBER" registryCredential = "registry-credentials" repository = 'https://github.com/sysdiglabs/secure-inline-scan-examples.git' + api_endpoint = 'https://eu1.app.sysdig.com' myimage = '' } agent any @@ -21,7 +22,7 @@ pipeline { } stage('Scanning Image') { steps { - sysdigImageScan engineCredentialsId: 'sysdig-secure-api-token', imageName: "docker://" + image, engineURL: 'https://eu1.app.sysdig.com' + sysdigImageScan engineCredentialsId: 'sysdig-secure-api-token', imageName: "docker://" + image, engineURL: api_endpoint } } stage('Deploy Image') { diff --git a/jenkins/new-scan-engine/Jenkinsfile-sysdig-cli-scanner b/jenkins/new-scan-engine/Jenkinsfile-sysdig-cli-scanner index f2baf13..c23fc72 100644 --- a/jenkins/new-scan-engine/Jenkinsfile-sysdig-cli-scanner +++ b/jenkins/new-scan-engine/Jenkinsfile-sysdig-cli-scanner @@ -1,18 +1,44 @@ pipeline { - agent any - stages { - stage('Scan image') { - steps { - withCredentials([usernamePassword(credentialsId: 'sysdig-secure-api-credentials', passwordVariable: 'SECURE_API_TOKEN', usernameVariable: '')]) { + parameters { + string(name: 'DOCKER_REPOSITORY', defaultValue: 'sysdigcicd/cronagent', description: 'Name of the image to be built (e.g.: sysdiglabs/dummy-vuln-app)') + string(name: 'GIT_REPOSITORY', defaultValue: 'https://github.com/sysdiglabs/secure-inline-scan-examples.git', description: 'Name of the repository with the Dockerfile to be built (e.g.: https://github.com/sysdiglabs/secure-inline-scan-examples.git)') + string(name: 'SYSDIG_ENDPOINT', defaultValue: 'https://eu1.app.sysdig.com', description: 'The appropriate Sysdig vulnerability scanning endpoint depending on your region, see https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges (e.g.: https://github.com/sysdiglabs/secure-inline-scan-examples.git)') + } + + agent any + stages { + stage('Cloning Git') { + steps { + git branch: 'main', url: "${params.GIT_REPOSITORY}" + } + } + stage('Build Image') { + steps { + sh "docker build -f ./jenkins/new-scan-engine/Dockerfile -t ${DOCKER_REPOSITORY} ./jenkins/new-scan-engine/" + } + } + stage('Scan image') { + steps { + withCredentials([usernamePassword(credentialsId: 'sysdig-secure-api-token', passwordVariable: 'SECURE_API_TOKEN', usernameVariable: '')]) { + sh ''' + VERSION=$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) + curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" + chmod +x ./sysdig-cli-scanner + ./sysdig-cli-scanner --apiurl ${SYSDIG_ENDPOINT} docker://${DOCKER_REPOSITORY} + ''' + } + } + } + stage('Push Image') { + + steps { + withCredentials([usernamePassword(credentialsId: 'registry-credentials', passwordVariable: 'password', usernameVariable: 'username')]){ sh ''' - VERSION=$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt) - curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/${VERSION}/linux/amd64/sysdig-cli-scanner" - chmod +x ./sysdig-cli-scanner - ./sysdig-cli-scanner --apiurl https://secure.sysdig.com mongo-express:0.54.0 + docker login -u ${username} -p ${password} + docker push ${DOCKER_REPOSITORY} ''' - } - } - } + } } + } } } diff --git a/jenkins/new-scan-engine/README.md b/jenkins/new-scan-engine/README.md index 2fc8dcd..9bad124 100644 --- a/jenkins/new-scan-engine/README.md +++ b/jenkins/new-scan-engine/README.md @@ -9,11 +9,11 @@ There are two different approaches if using Jenkins to scan container images for This [example pipeline](Jenkinsfile-sysdig-cli-scanner) shows how to download and execute the new inline scanner to scan an image. -It requires to configure a Jenkins credential `sysdig-secure-api-credentials` to store the Sysdig Token (as password) +It requires to configure a Jenkins credential `sysdig-secure-api-token` to store the Sysdig Token (as password) ![Screenshot of Jenkins UI](https://github.com/jenkinsci/sysdig-secure-plugin/raw/main/docs/images/SysdigTokenConfiguration.png) -Then the scan is performed by downloading the `sysdig-cli-scanner` tool against the `mongo-express:0.54.0` example image. +Then the scan is performed by downloading the `sysdig-cli-scanner` tool against the example image. For a more elaborated example, see the [GitHub](../../github/new-scan-engine/README.md) example. @@ -29,5 +29,6 @@ The [example pipeline](Jenkinsfile-jenkins-plugin) shows how to use it to build Both approaches require a couple of things: -* A valid Sysdig Secure API token -* Have access to the image storage, either to the local storage where the image was created or to the registry where it is stored. \ No newline at end of file +* A valid Sysdig Secure API token. +* Have access to the image storage, either to the local storage where the image was created or to the registry where it is stored. +* The appropriate Sysdig vulnerability scanning endpoint depending on your region, see [the official documentation](https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges).