This is a Jenkins Plugin to do security vulnerabilities scanning on registries and local images with the NeuVector Scanner.
- It supports two scan modes. By default, it uses the "Controller & Scanner" mode.
- Standalone mode, run the service inside the docker images
- "Controller & Scanner" mode, run the service inside external controller
- Support running jenkins pod with K8s agent mode from 2.2+
-
For the "Controller & Scanner" mode, you need to install the NeuVector controller and scanner in the network. To scan the local image (the image on the Jenkins machine), the "Controller & Scanner" needs to be installed on the node where the image exists.
-
For the standalone mode, Docker must be installed on the same host with Jenkins. Also, add jenkins user to the docker group.
sudo usermod -aG docker jenkins -
If you run the Jenkins as a container, remember to mount a host directory "-v /var/jenkins_home:/var/jenkins_home"
For example,
docker run -p 8080:8080 -v /var/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:ltsIf you want to mount a host directory which is not "/var/jenkins_home", for example '/home/neuvector/jenkins_home'. Please remember to add an environment variable "JENKINS_MOUNT_PATH='/home/neuvector/jenkins_home'"
For example,
-
docker CLI
docker run -p 8080:8080 -e JENKINS_MOUNT_PATH='/home/neuvector/jenkins_home' -v /home/neuvector/jenkins_home:/var/jenkins_home -v /var/run/docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) --name=jenkins jenkins/jenkins:lts -
docker-compose.yml
jenkins-node: image: jenkins/jenkins:lts container_name: jenkins-node user: root ports: - 8080:8080 - 50000:50000 volumes: - /home/neuvector/jenkins_home:/var/jenkins_home - /usr/bin/docker:/usr/bin/docker - /var/run/docker.sock:/var/run/docker.sock:ro environment: - JENKINS_MOUNT_PATH=/home/neuvector/jenkins_home
-
After installing the plugin, you will find the ‘NeuVector Vulnerability Scanner’ section in the global configuration page (Jenkins ‘Configure System’), and the first section you will see is to configure "Controller & Scanner", then is the Standalone section.
Once you have done the following settings, you may click the ‘Test Connection’ button to validate the values. It will show ‘Connection Success’ or an error message. 
- Enter values for the "Controller & Scanner" mode which includes the NeuVector Scanner source name, controller rest api url, username, and password.
- TLS certificate check will check the consistency of between the certificate you provide in NeuVector Server Certificate and the server. Here is how we find the certificate in your server.
- Access into the pod of the expose cluster
- File location should
/etc/neuvector/certs/ssl-cert.pem - Copy the content and paste it here as the certificate.
- You can disable TLS check by by clicking "Skip TLS certificate check".
- The timeout minutes value will terminate the build step within the time entered. The default value of 0 means no timeout will occur
- Enter values for the standalone scanner mode which includes NeuVector Scanner Registry URL, NeuVector Scanner Image Repository, NeuVector Scanner Registry User, NeuVector Scanner Registry Password.
- Click the ‘Add Registry’ to enter values for the registry you will use in your project. If you just want to scan local images, you don’t need to add a registry here.
In your project configuration page, choose the 'NeuVector Vulnerability Scanner' plugin from the drop down menu in the 'Add build step' / 'pipeline', these two have simiar configure pages. 
- Check the checkbox "Scan with Standalone scanner" if you want to do the scan in the standalone scanner mode. By default, it uses "Controller & Scanner" mode to do the scan.
- Define the registry in the global config page and choose the registry name here. Enter the repository (image) name and tag name. You may choose Jenkins default environment variables for the repository or tag. e.g. $JOB_NAME, $BUILD_TAG, $BUILD_NUMBER.
- Enter the values for the number of high or medium, the vulnerability names that present to fail the build, the vulnerability names that are exempt from the scan. If you choose "Scan with Standalone", the scan timeout is 10 minutes by default.
- Finish the config, go back to the project page then click build. When the build finishes, a NeuVector report will be generated.
Here we provide an example pipeline from our testing machine.
pipeline {
agent {
// kubernetes represent the machine name.
kubernetes {
yaml '''
apiVersion: v1
kind: Pod
spec:
containers:
- name: docker
image: docker:dind
command: ["/bin/sh", "-c"]
args: ["dockerd & sleep infinity"]
securityContext:
privileged: true
runAsUser: 0
imagePullSecrets:
- name: my-dockerhub-secret
'''
}
}
stages {
stage('docker pull') {
steps {
// run the docker we declare above
container('docker') {
script {
neuvector nameOfVulnerabilityToExemptFour: '', nameOfVulnerabilityToExemptOne: '', nameOfVulnerabilityToExemptThree: '', nameOfVulnerabilityToExemptTwo: '', nameOfVulnerabilityToFailFour: '', nameOfVulnerabilityToFailOne: '', nameOfVulnerabilityToFailThree: '', nameOfVulnerabilityToFailTwo: '', numberOfHighSeverityToFail: '', numberOfMediumSeverityToFail: '', registrySelection: 'your registry', repository: 'your repo', scanTimeout: 10, standaloneScanner: true, tag: 'some tag'
}
}
}
}
}
}