Jenkins Plugin: Jacked
Introduction
Jacked provides organizations with a more comprehensive look at their application to take calculated actions and create a better security approach. Its primary purpose is to scan vulnerabilities to implement subsequent risk mitigation measures.
This jenkins plugin scans a given target and expose vulnerability.
Getting started
This jenkins plugin installs jacked binary tool in the job workspace directory and performs scan.
Auto-install & Update Binary Jacked
The plugin will install the "jacked" binary tool. (Windows and Linux Supported)
- Auto-update: If checked, the binary will automatically update when a new release is available.
- Uses Scoop for Windows
- Uses Shell Script for Linux
Usage as add build step
Plugin Configuration
Output
Provides the following:
- Show a list of packages.
Analyzing BOM: Showing vulnerabilities found and providing recommendations to fix them.- Assessment Result: Pass or Fail based on the selected fail criteria severity type.
- Saves output file on the workspace in every build.
jacked_result_$(JOBNAME)_$(BUILDNUMBER).txt - Saves Stored Values JSON File for Environment Variables.
jackedTmpDir/jacked_file.json
Plugin Configuration Fields and Descriptions
Scan Type
Description: Specified the input on scan field based on the selected scan type.
Option:
Image: Provide the image to be scanned.Directory: Provide the target directory path to be scanned.Tar File: Provide the target tar file path to be scanned.SBOM File: Provide the target Diggity JSON Format SBOM file path to be scanned.
Scan
Input: Image name, Directory path, tar file path, or sbom file path.
Fail Criteria Severity
Description: Select a threshold that will fail the build when equal to or above the severity found in the results.
Option:
- Critical
- High
- Medium
- Low
- Negligible
- Unknown
Ignore Package Names
Usage: Ignore the following package names when scanning. Leave blank if not using.
Example Input Format: dpkg,tar,gzip,...
Ignore CVEs
Usage: Ignore the following CVEs when scanning. Leave blank if not using.
Example Input Format: CVE-2022-24775,CVE-2022-1304,TEMP-0000000-6F6CD4,...
Skip Build Fail
Default value is false / unchecked.
Warning: If the value is checked, it will restrict the plugin from failing the build based on the assessment result.
Skip Database Update
Default value is false / unchecked.
Warning: If the value is checked, it will skip check database update while scanning.
Usage as Pipeline
pipeline {
agent any
stages {
stage('Jacked Scan') {
steps {
script {
jacked scanType: 'image', // Choose Scan Type: image, directory, tar, or sbom.
scanName: 'ubuntu', // Input: Image name, Directory path, tar file path, or sbom file path.
severityType: 'high', // Select a threshold that will fail the build when equal to or above the severity found in the results.
// Severity: critical, high, medium, low, negligible, unknown.
skipFail: false, // Default as false. Skip build to fail based on the assessment.
skipDbUpdate: false, // Default as false. Skip Database Update when scanning.
ignorePackageNames: '', // Ignore Package names when scanning... e.g. input: dpkg,tar,bash,...
ignoreCves: '' // Ignore CVES when scanning... e.g. input: CVE-2022-1271,CVE-2022-3715,CVE-2022-1664,...
}
}
}
}
}
Pipeline Usage Guide: Accessing Stored Values for Your Environment Variable Usage.
Welcome to this guide on accessing stored values for your environment variable usage. In this document, we will explore how you can retrieve and utilize stored values effectively in your environment variables within your applications or scripts.
Why Environment Variables?
Environment variables provide a flexible way to store and manage configuration values that are essential for your applications or scripts. They allow you to separate configuration from code, making it easier to deploy and maintain your software across different environments.
Storing Values in Jenkins
Jenkins is a popular open-source automation server that enables continuous integration and delivery (CI/CD) workflows. It offers various features, including the ability to store and manage environment variables.
Retrieving Stored Values in Jenkins
One common use case is retrieving stored values from Jenkins and utilizing them as environment variables within your pipeline scripts. Jenkins provides convenient methods to access and utilize these values during the build process.
Example: Reading JSON Files
We'll walk you through an example of reading values from a JSON file stored in Jenkins and using them as environment variables. This can be particularly useful for storing and accessing configuration settings or external dependencies.
Conclusion
Understanding how to access stored values for your environment variable usage is crucial for building robust and configurable applications or scripts. By leveraging tools like Jenkins and following best practices, you can streamline your development process and ensure smooth deployments across different environments.
Now, let's dive into the details and learn how to effectively access stored values in your environment variables!
Pipeline Usage Guide: Adding catchError() Block.
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { // Jacked Scan script.. }
In this script, we have added a catchError() block to ensure that all stages within the pipeline are executed, regardless of failures. By default, when a specific stage fails, the pipeline skips all subsequent stages. However, with the catchError() block in place, this behavior is overridden.
Since we are utilizing a vulnerability scanner, it is expected that the build may fail based on the assessment results. This is important to inform users that vulnerabilities have been detected and need to be addressed.
Here's what it looks like when the catchError block added on our pipeline script:
stage('Jacked Scan') {
steps {
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { // Prevents other stages to be skipped when JACKED ASSESSMENT is failed
script {
jacked scanType: 'images', // Choose Scan Type: image, directory, tar, or sbom.
scanName: 'alpine', // Input: Image name, Directory path, tar file path, or sbom file path.
severityType: 'high', // Select a threshold that will fail the build when equal to or above the severity found in the results.
// Severity: critical, high, medium, low, negligible, unknown.
skipFail: false, // Default as false. Skip build to fail based on the assessment.
skipDbUpdate: false, // Default as false. Skip Database Update when scanning.
ignorePackageNames: '', // Ignore Package names when scanning... e.g. input: dpkg,tar,bash,...
ignoreCves: '' // Ignore CVES when scanning... e.g. input: CVE-2022-1271,CVE-2022-3715,CVE-2022-1664,...
}
}
}
}
Once implemented we are now ready to add more stages based on your usage to our pipeline script.
Pipeline Usage Guide: Adding Read JSON File Stage to Access Stored Values for Environment Variable Usage.
NOTE: Prerequisite Plugin: Pipeline Utility Steps 2.15.4 or higher to access readJSON
In this pipeline script, we have included a stage called "Read JSON" to facilitate the extraction of stored values from a JSON file and utilize them as environment variables. This stage allows you to access multiple values from the JSON file and incorporate them into your pipeline's environment.
By using the readJSON step, we can retrieve various values from the JSON file and assign them to variables. In addition to the "buildStatus" value, we can also extract other key-value pairs such as "jackedAssessment,", "assessmentSummary" "scanType," and "scanName" from the JSON file.
def jackedFilePath = "${env.WORKSPACE}/jackedTmpDir/jacked_file.json"
def json = readJSON file: jackedFilePath
def jackedAssessment = json.jackedAssessment
def assessmentSummary = json.assessmentSummary
def scanType = json.scanType
def scanName = json.scanName
def buildStatus = json.buildStatus
// Optional: Display Value, File Path
echo "Build Status: ${buildStatus}"
echo "File path: ${jackedFilePath}"
// Set the value as a global environment variable
env.BUILD_STATUS = buildStatus
env.jackedAssessment = jackedAssessment
env.assessmentSummary = assessmentSummary
env.scanType = scanType
env.scanName = scanName
Once the values are extracted, we can echo them to provide visibility and confirmation of the retrieved data. Furthermore, these values can be set as global environment variables, allowing you to utilize them across different stages or post-processing actions within your pipeline.
// Set the value as a global environment variable
env.BUILD_STATUS = buildStatus
env.jackedAssessment = jackedAssessment
env.assessmentSummary = assessmentSummary
env.scanType = scanType
env.scanName = scanName
// Optional: Display Value
echo "Build Status: ${buildStatus}"
// Display File Path
def jackedFilePath = "${env.WORKSPACE}/jackedTmpDir/jacked_file.json"
echo "File path: ${jackedFilePath}"
Accessing JSON Stored Key-value Pairs for Environment Variables.
stage('Read JSON') {
steps {
script {
def jackedFilePath = "${env.WORKSPACE}/jackedTmpDir/jacked_file.json"
def json = readJSON file: jackedFilePath
def jackedAssessment = json.jackedAssessment
def assessmentSummary = json.assessmentSummary
def scanType = json.scanType
def scanName = json.scanName
def buildStatus = json.buildStatus
// Optional: Display Value, File Path
echo "Build Status: ${buildStatus}"
echo "File path: ${jackedFilePath}"
// Set the value as a global environment variable
env.BUILD_STATUS = buildStatus
env.jackedAssessment = jackedAssessment
env.assessmentSummary = assessmentSummary
env.scanType = scanType
env.scanName = scanName
}
}
}
With the flexibility provided by the "Read JSON" stage, you can effortlessly access and utilize multiple stored values from a JSON file, empowering you to customize your pipeline's behavior based on the extracted information.
Here's the overall script guide from Jacked Scan Stage and Read JSON for Environment Variables.
pipeline {
agent any
stages {
stage('Jacked Scan') {
steps {
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
script {
jacked scanType: 'image', // Choose Scan Type: image, directory, tar, or sbom.
scanName: 'alpine', // Input: Image name, Directory path, tar file path, or sbom file path.
severityType: 'high', // Select a threshold that will fail the build when equal to or above the severity found in the results.
// Severity: critical, high, medium, low, negligible, unknown.
skipFail: false, // Default as false. Skip build to fail based on the assessment.
skipDbUpdate: false, // Default as false. Skip Database Update when scanning.
ignorePackageNames: '', // Ignore Package names when scanning... e.g. input: dpkg,tar,bash,...
ignoreCves: '' // Ignore CVES when scanning... e.g. input: CVE-2022-1271,CVE-2022-3715,CVE-2022-1664,...
}
}
}
}
stage('Read JSON') {
steps {
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') {
script {
def jackedFilePath = "${env.WORKSPACE}/jackedTmpDir/jacked_file.json"
def json = readJSON file: jackedFilePath
def jackedAssessment = json.jackedAssessment
def assessmentSummary = json.assessmentSummary
def scanType = json.scanType
def scanName = json.scanName
def buildStatus = json.buildStatus
// Optional: Display Value, File Path
echo "Build Status: ${buildStatus}"
echo "File path: ${jackedFilePath}"
// Set the value as a global environment variable
env.BUILD_STATUS = buildStatus
env.jackedAssessment = jackedAssessment
env.assessmentSummary = assessmentSummary
env.scanType = scanType
env.scanName = scanName
}
}
}
}
}
post {
always {
// Access the global environment variable
echo "jackedAssessment: ${env.jackedAssessment}"
echo "assessmentSummary: ${env.assessmentSummary}"
echo "scanType: ${env.scanType}"
echo "scanName: ${env.scanName}"
echo "Build Status: ${env.BUILD_STATUS}"
}
}
}
Here's a sample of the stored values inside a JSON file named jacked_file.json that is generated inside workspace directory name: jackedTmpDir.
{
"scanName":"ubuntu",
"jackedAssessment":"failed",
"assessmentSummary":"Failed: 6 out of 10 found vulnerabilities failed the assessment",
"scanType":"image",
"buildStatus":"failed"
}
LICENSE
Licensed under MIT, see LICENSE