Configuring integration with Jenkins CI/CD

Configuring integration with Jenkins CI / CD consists of the following steps:

  1. Authorization of Jenkins CI/CD in the image registry of the Kaspersky Container Security manufacturer. To do so, on the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:

    printf "login:password" | openssl base64 -A

    where login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.

  2. Authorization of Kaspersky Container Security API. To perform authorization, complete the following steps:
    1. Copy the API token on the My profile page.
    2. Specify the copied API token value in the API_TOKEN variable in the Jenkinsfile configuration file.
  3. Authentication of the data receipt server in CI/CD using the CA certificate of the Ingress controller. To perform authentication, in the Jenkinsfile configuration file, specify one of the following variables:
    1. -e API_CA_CERT=${KCS_CA_CERT} means the authentication is performed, and the scanner started in CI/CD can make sure the receiving server is authentic.
    2. -e SKIP_API_SERVER_VALIDATION=true means authentication of the receiving server using the CA certificate of the Ingress controller is not performed.
  4. Creating Jenkins environment variables.

    To create environment variables, add the following lines to Jenkinsfile:

    1. Add information about the container registry where the scanner is located as follows:

      LOGIN: the name of the account in the scanner registry

      PASS: the password for the scanner registry

    2. If you configure scanning for a private repository, specify the following authorization data to ensure the scanner access to an image:

      COMPANY_EXT_REGISTRY_USERNAME: the name of the account in the registry of the scanned image

      COMPANY_EXT_REGISTRY_PASSWORD: the password for the registry of the image being scanned

  5. Adding information to start the scanner. Information for starting the scanner that contains databases of vulnerabilities and other malicious objects is added to the Jenkinsfile configuration file in the form of a declarative or scripted pipeline.

    Example of information for starting the scanner in the form of a declarative pipeline

    Example of data for starting a scanner in the form of a scripted pipeline

  6. Generating an artifact for downloading.

    You can generate an artifact for downloading in the .HTML, or .JSON format to receive the scan results. You can specify an artifact format in --stout as follows:

    pipeline {

    agent any

    stages {

    stage('run scanner') {

    steps {

    sh 'docker login -u ${LOGIN} -p ${PASS} company.example.com'

    sh 'docker run -e API_BASE_URL=https://kcs.int.company.com -e SKIP_API_SERVER_VALIDATION=true -e API_TOKEN=${API_TOKEN} -e COMPANY_EXT_REGISTRY_USERNAME=${COMPANY_EXT_REGISTRY_USERNAME} -e COMPANY_EXT_REGISTRY_PASSWORD=${COMPANY_EXT_REGISTRY_PASSWORD} company.example.com:5050/company/kcs/scanner:v1.2.1-lite jfrog.company.com/demo-kcs/bad:bad-project-test --html --stdout > result.html'

    }

    }

    stage('archive') {

    steps {

    archiveArtifacts artifacts: 'result.html'

    }

    }

    }

    }

    To generate a .JSON artifact, rewrite the --html --stdout> result.html' line in the example above as follows:

    --json --stdout > result.json',

    and in the archiveArtifacts artifacts line, specify the file name in the defined format: 'result.json'.

    Scan results can be obtained in the format you specified and can also be viewed in the ResourcesCI/CD section.

Page top