Vdoo Analysis is a Jenkins plugin that enables Jenkins users to test their images using Vdoo automated security analysis platform as a part of their CI/CD process.
-
To configure your Jenkins project, first add “Vdoo Analysis Plugin” as a build step to your build.
-
Vision API token is a token that can be generated from Vdoo Analysis Platform's UI in the User Profile page, under ”Privacy & Security” page. Make sure to store the generated token in a secure manner.
-
Wait for Analysis Results determines whether your build pipeline will wait for Vdoo Analysis to complete before moving to the next build step. If this option is not checked, you'll be able to see the report in Vdoo Analysis Platform's web UI or by queries APIs.
-
Maximal Allowed Threat Level is the threat level value that if exceeded, Vdoo Analysis Plugin will fail the build. If the value is set to "None", this setting isn't considered when deciding whether to fail the build. Note: this setting is only relevant if Wait for Analysis Results is checked.
-
Maximal # of Highlighted issues is the value that if exceeded, Vdoo Analysis Plugin will fail the build. If the value is left empty, this setting isn't considered when deciding whether to fail the build. Note: this setting is only relevant if Wait for Analysis Results is checked.
-
Maximal # of Highlighted Exposures is the value that if exceeded, Vdoo Analysis Plugin will fail the build. If the value is left empty, this setting isn't considered when deciding whether to fail the build. Note: this setting is only relevant if Wait for Analysis Results is checked.
-
Maximal # of Highlighted CVEs is the value that if exceeded, Vdoo Analysis Plugin will fail the build. If the value is left empty, this setting isn't considered when deciding whether to fail the build. Note: this setting is only relevant if Wait for Analysis Results is checked.
-
Maximal # of Malicious Files is the value that if exceeded, Vdoo Analysis Plugin will fail the build. If the value is left empty, this setting isn't considered when deciding whether to fail the build. Note: this setting is only relevant if Wait for Analysis Results is checked.
-
Artifact ID determines to which of your artifacts the analyzed images are uploaded. Artifact IDs can be found in Vdoo Analysis Platform's artifact inventory.
-
Image Location is the path of the image that will be uploaded to Vdoo Analysis Platform. The behaviour of this value:
- The path is first tried as an absolute path. This will only work if the file is on the master node. This behaviour will be deprecated in favour of:
- The path is then tried as a relative path to the workspace. This supports both the case of running on the master node and of running on an agent node.
-
Under advanced options you can find the Base Vision API URL field that you should only change if your Vision url is different from
vision.vdoo.com
. Default value:https://prod.vdoo.io
. Find the Base URL of your deployment in the About popup.
Once configured properly, the plugin will trigger a Vdoo analysis on every pipeline run. If the Wait for Analysis Results option is checked - the plugin will periodically poll Vdoo Analysis Platform for the status, printing it to the console. When the analysis is completed, Vdoo Scan Report is added to the navigation pane of Jenkins. In the Vdoo Scan Report page, you'll have direct access to the report in Vdoo Analysis Platform's UI, and a link to the report in Vdoo Analysis platform.
If Wait for Analysis Results isn't checked, the image will be uploaded to Vdoo Analysis platform and the image UUID is printed to the console, to be used in future API calls.
Vdoo welcomes community contribution through pull requests.
Licensed under Apache-2.0 License, see LICENSE