Jenkins X: Announcing CVE docker image analysis with Anchore
Anchore provides docker image analysis for user defined acceptance policies to allow automated image validation and acceptance.
As developers we would like to know if a change we are proposing introduces a Common Vulnerability and Exposure (CVE). As operators we would like to know what running applications are affected if a new CVE is discovered.
Now in Jenkins X pipelines, if we find an Anchore engine service running we will add the preview and release images to be analyzed. This means we can look at any environment including previews (created from Pull Requests) to see if your application contains a CVE.
Upgrade
Start by checking your current Jenkins X version:
jx version
If your Jenkins X platform is older than 0.0.903, then first you will need to upgrade to at least 0.0.922:
jx upgrade cli
jx upgrade platform
Install addon
You can install the
Anchore engine addon
when you are in your Jenkins X team home
environment.
jx env dev
jx create addon anchore
This will install the engine in a seperate anchore
namespace
and create a service link in the current team home
environment
so our pipeline builds can add docker images to Anchore for analysis.
Demo
Here’s a 4 minute video that demonstrates the steps above:
Upgrading existing pipelines
If you have an existing application pipeline and and want enable image analysis you can update your Jenkinsfile,
in the preview
stage after the skaffold step add the line
sh "jx step validate --min-jx-version 1.2.36"
sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:$PREVIEW_VERSION"
In the master
stage the add this line after the skaffold step
sh "jx step validate --min-jx-version 1.2.36"
sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:\$(cat VERSION)"
For any questions please find us - we mainly hang out on Slack at #jenkins-x-dev - or see jenkins-x.io/community for other channels.