Difficulty: medium
Estimated Time: 40 minutes

In this scenario we will deploy Jenkins, we will set up the required configuration for the Sysdig Secure plugin integration, and we will execute some image build and scan in a pipeline, that will fail due to some errors in the image built, and some vulnerabilities found.

We will see the full report in Sysdig Secure as well, and we will create an alert to inform us that the image scan has failed.

Goals

  • Explore how we integrate Jenkins with Sysdig Secure through a plugin.
    • How to configure Jenkins for the plugin usage.
    • How to execute the pipeline.
    • See the full report in Jenkins and Sysdig Secure.
  • Be able to find out vulnerabilities in our images, and incorrect image creations.
    • Spot operating system vulnerabilities
    • Spot application library vulnerabilities
    • Spot unwanted exposed ports, or packages that should not be installed.

Competencies required

The student needs to understand the basic concepts of Jenkins usage, although this will cover step by step the set up and usage for a simple usage. In production, Jenkins is a bigger application that will need more configuration apart from what’s described in this lab.

Image Scanning and CI/CD Pipeline

Step 1 of 10

Introduction to the components

Jenkins

Jenkins is an automation server that provides a solution for building, deploying and automating any project. With it, one can execute, or program periodic executions of Continuous Integration and Continuous Delivery.

Continuous Integration (CI) is a procedure with which we are building and testing the project as the developers make changes in it. With this methodology all developers' feature branches are merged into a shared mainline branch several times a day. This solves the "integration hell" and helps to avoid one developer's work-in-progress breaking another developer's copy.

Continuous Delivery (CD) aims at building, testing, and releasing software with greater speed and frequency. Most of the deployments are repetitive, so automating them increases reliability in the deployment process and avoid wasting time.

Image Scanning

One of the last steps of the Continuous Integration pipeline involves building the container images that will be pulled and executed in our environment. Therefore, whether you are building Docker images from your own code or when using unmodified third party images, it's important to identify and find any known vulnerabilities that may be present in those images.

Docker images are composed of several immutable layers, basically a diff over the previous one adding files and other changes, and each one associated with a unique hash id.

The container image scanning process typically includes:

  • Checking the software packages, binaries, libraries, operating system files, etc. against one or more well known vulnerabilities databases. Some Docker scanning tools have a repository containing the scanning results for common Docker images that can be used as a cache to speed up the process.
  • Analyzing the Dockerfile and image metadata to detect security sensitive configurations like running as privileged (root) user, exposing insecure ports, using based images tagged with “latest” rather than specific versions for full traceability, etc.
  • User defined policies, or any set of requirements that you want to check for every image, like software packages blacklists, base images whitelists, whether a SUID file has been added, etc.

Sysdig allows developers to perform detailed analysis on their container images, run queries, produce reports and define policies that can be used in CI/CD pipelines.