This is a Jenkins Plugin to do security vulnerabilities scan on registries and local images with NeuVector Scanner.
- It supports two scan modes. The first is "Controller & Scanner" mode. The second is the standalone scanner mode. You can select the scan mode in the project configuration page. By default, it uses the "Controller & Scanner" mode.
For the "Controller & Scanner" mode, you need to install the NeuVector controller and scanner in the network. To scan the local image (the image on the Jenkins machine), the "Controller & Scanner" needs to be installed on the same node where the image exists.
For the standalone mode, Docker must be installed on the same host with Jenkins. Also, add jenkins user to the docker group.
sudo usermod -aG docker jenkins
If you run the Jenkins as a container, remember to mount a host directory "-v /var/jenkins_home:/var/jenkins_home"
docker run -p 8080:8080 -v /var/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:lts
If you want to mount a host directory which is not "/var/jenkins_home", for example '/home/neuvector/jenkins_home'. Please remember to add an environment variable "JENKINS_MOUNT_PATH='/home/neuvector/jenkins_home'"
docker run -p 8080:8080 -e JENKINS_MOUNT_PATH='/home/neuvector/jenkins_home' -v /home/neuvector/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:lts
jenkins-node: image: jenkins/jenkins:lts container_name: jenkins-node user: root ports: - 8080:8080 - 50000:50000 volumes: - /home/neuvector/jenkins_home:/var/jenkins_home - /usr/bin/docker:/usr/bin/docker - /var/run/docker.sock:/var/run/docker.sock:ro environment: - JENKINS_MOUNT_PATH=/home/neuvector/jenkins_home
Setup the configuration in Jenkins
After installed the plugin, you will find the ‘NeuVector Vulnerability Scanner’ section in the global configuration page (Jenkins ‘Configure System’). Enter values for the "Controller & Scanner" mode which includes NeuVector Scanner source name, controller IP, port, username, and password. You may click the ‘Test Connection’ button to validate the values. It will show ‘Connection Success’ or an error message.
The timeout minutes value will terminate the build step within the time entered. The default value of 0 means no timeout will occur.
Enter values for the standalone scanner mode which includes NeuVector Scanner Registry URL, NeuVector Scanner Image Repository, NeuVector Scanner Registry User, NeuVector Scanner Registry Password.
Click the ‘Add Registry’ to enter values for the registry you will use in your project. If you just want to scan local images, you don’t need to add a registry here.
In your project configuration page, choose the 'NeuVector Vulnerability Scanner' plugin from the drop down menu in the 'Add build step'. Firstly, check the checkbox "Scan with Standalone scanner" if you want to do the scan in the standalone scanner mode. By default, it uses "Controller & Scanner" mode to do the scan. Secondly, choose 'Local' for local image scan. To do a registry scan, you need to define the registry in the global config page and choose the registry name here. Enter the repository (image) name and tag name. You may choose Jenkins default environment variables for the repository or tag. e.g. $JOB_NAME, $BUILD_TAG, $BUILD_NUMBER. Enter the values for the number of high or medium, the vulnerability names that present to fail the build, the vulnerability names that are exempt from the scan. If you choose "Scan with Standalone", the scan timeout is 10 minutes by default.
When the build finishes, a NeuVector report will be generated.
See GitHub releases
1.22 (Oct 28, 2022)
- Fix Security-2865 / CVE-2022-43434
1.21 (Oct 25, 2022)
- Fix Security-2865 / CVE-2022-43434
1.20 (May 26, 2022)
- Remove the license from the NeuVector Scanner configuration.
1.19 (January 21, 2022)
- add timeout for standalone scanner
- handle the case that the digest field is empty
1.18 (September 08, 2021)
- Enable the local scan on the Jenkins Master and Slave Architecture
1.17.1 (July 27, 2021)
- Update ChangeLogs
1.17 (July 26, 2021)
- solve the scan problem when the jenkins running as a container and mounted a host path other than "/var/jenkins_home"
1.16 (July 16, 2021)
- fix the scanner running issue
1.15 (July 07, 2021)
- add HTML output option for the scan result
1.14 (June 23, 2021)
- print the scan summary in the console.
1.13 (April 13, 2021)
- fix the scan error that exists when multiple scanners are running at the same time.
- show the "feed_rating" in the scan result if it is not empty.
1.12 (Feb 18, 2021)
- Provide cause message to the abort runtime exception
- Show the severity numbers in the scan summary report
- Support Customized Severity Rating Scale
1.11 (Feb 01, 2021)
- Support Standalone scanner mode
1.10 (December 11, 2020)
- Show the build user name as anonymous if it doesn't exist
1.9 (September 14, 2020)
- Support to exempt CVE names from Jenkins scan
1.8.1 (March 05, 2020)
- Update ChangeLogs
1.8 (March 04, 2020)
- Migrate to GitHub docs
1.7 (March 03, 2020)
- Add source name to scanner's global setting
- Report Jenkins build user, job name and workspace.
1.6 (September 21, 2019)
- Use secret for password.
1.5 (July 1, 2019)
- Support layer scan.
1.4 (April 16, 2019)
- Support multiple build steps in one Jenkins build.
1.3 (September 24, 2018)
- Update long poll status code.
1.2 (July 20, 2018)
- Update for no scan entity case.
1.1 (July 19, 2018)
- Add no vulnerabilities found case.
1.0 (June 1, 2018)
- First release.