This is a Jenkins Plugin to do security vulnerabilities scan on registries and local images with NeuVector Scanner.
- It supports two scan modes. The first is "Controller & Scanner" mode. The second is the standalone scanner mode. You can select the scan mode in the project configuration page. By default, it uses the "Controller & Scanner" mode.
For the "Controller & Scanner" mode, you need to install the NeuVector controller and scanner in the network. To scan the local image (the image on the Jenkins machine), the "Controller & Scanner" needs to be installed on the same node where the image exists.
For the standalone mode, Docker must be installed on the same host with Jenkins. Also, add jenkins user to the docker group.
sudo usermod -aG docker jenkins
If you run the Jenkins as a container, remember to mount a host directory "-v /var/jenkins_home:/var/jenkins_home"
docker run -p 8080:8080 -v /var/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:lts
If you want to mount a host directory which is not "/var/jenkins_home", for example '/home/neuvector/jenkins_home'. Please remember to add an environment variable "JENKINS_MOUNT_PATH='/home/neuvector/jenkins_home'"
docker run -p 8080:8080 -e JENKINS_MOUNT_PATH='/home/neuvector/jenkins_home' -v /home/neuvector/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:lts
jenkins-node: image: jenkins/jenkins:lts container_name: jenkins-node user: root ports: - 8080:8080 - 50000:50000 volumes: - /home/neuvector/jenkins_home:/var/jenkins_home - /usr/bin/docker:/usr/bin/docker - /var/run/docker.sock:/var/run/docker.sock:ro environment: - JENKINS_MOUNT_PATH=/home/neuvector/jenkins_home
After installed the plugin, you will find the ‘NeuVector Vulnerability Scanner’ section in the global configuration page (Jenkins ‘Configure System’). Enter values for the "Controller & Scanner" mode which includes NeuVector Scanner source name, controller IP, port, username, and password. You may click the ‘Test Connection’ button to validate the values. It will show ‘Connection Success’ or an error message.
The timeout minutes value will terminate the build step within the time entered. The default value of 0 means no timeout will occur.
Enter values for the standalone scanner mode which includes NeuVector Scanner Registry URL, NeuVector Scanner Image Repository, NeuVector Scanner Registry User, NeuVector Scanner Registry Password.
Click the ‘Add Registry’ to enter values for the registry you will use in your project. If you just want to scan local images, you don’t need to add a registry here.
In your project configuration page, choose the 'NeuVector Vulnerability Scanner' plugin from the drop down menu in the 'Add build step'. Firstly, check the checkbox "Scan with Standalone scanner" if you want to do the scan in the standalone scanner mode. By default, it uses "Controller & Scanner" mode to do the scan. Secondly, choose 'Local' for local image scan. To do a registry scan, you need to define the registry in the global config page and choose the registry name here. Enter the repository (image) name and tag name. You may choose Jenkins default environment variables for the repository or tag. e.g. $JOB_NAME, $BUILD_TAG, $BUILD_NUMBER. Enter the values for the number of high or medium, the vulnerability names that present to fail the build, the vulnerability names that are exempt from the scan. If you choose "Scan with Standalone", the scan timeout is 10 minutes by default.
When the build finishes, a NeuVector report will be generated.
See GitHub releases
- Remove the license from the NeuVector Scanner configuration.
- add timeout for standalone scanner
- handle the case that the digest field is empty
- Enable the local scan on the Jenkins Master and Slave Architecture
- Update ChangeLogs
- solve the scan problem when the jenkins running as a container and mounted a host path other than "/var/jenkins_home"
- fix the scanner running issue
- add HTML output option for the scan result
- print the scan summary in the console.
- fix the scan error that exists when multiple scanners are running at the same time.
- show the "feed_rating" in the scan result if it is not empty.
- Provide cause message to the abort runtime exception
- Show the severity numbers in the scan summary report
- Support Customized Severity Rating Scale
- Support Standalone scanner mode
- Show the build user name as anonymous if it doesn't exist
- Support to exempt CVE names from Jenkins scan
- Update ChangeLogs
- Migrate to GitHub docs
- Add source name to scanner's global setting
- Report Jenkins build user, job name and workspace.
- Use secret for password.
- Support layer scan.
- Support multiple build steps in one Jenkins build.
- Update long poll status code.
- Update for no scan entity case.
- Add no vulnerabilities found case.
- First release.