Kaspersky Industrial CyberSecurity for Linux Nodes

Integration with Jenkins

August 5, 2024

ID 198031

Kaspersky Industrial CyberSecurity for Linux Nodes supports integration with Jenkins. Jenkins Pipeline plug-ins can be used to scan Docker images at different stages. For example, you can scan Docker images in a repository during the development process or before publishing.

To integrate Kaspersky Industrial CyberSecurity for Linux Nodes with Jenkins:

  1. Install Kaspersky Industrial CyberSecurity for Linux Nodes on a Jenkins node.
  2. Install Docker Engine on a Jenkins node.

    For details, please refer to the Docker Engine documentation.

  3. Grant the Kaspersky Industrial CyberSecurity for Linux Nodes administrator privileges to the Jenkins user:

    kics-control --grant-role admin <Jenkins user name>

  4. Add a Jenkins user to the docker group:

    sudo usermod -aG docker <Jenkins user name>

    Usually the jenkins name is used.

  5. In Jenkins, create a new build job with the test name (New ItemEnter an item name).

    jenkins_create_job

  6. Configure your project, according to your needs. It is assumed that as a result, you have an image or a started container that you need to scan.
  7. To start the Docker container, add the following script to the Jenkins build procedure. If you use Jenkins plug-ins or another way to start Docker containers, save the ID of the running Docker container to the file /tmp/kics_cs_info, for further scanning:

    TMP_FILE="/tmp/kics_cs_info"

    EXIT_CODE=0

    echo "Start container from image: '${TEST_CONTAINER_IMAGE}'"

    CONTAINER_ID=$(docker run -d -v /storage:/storage ${TEST_CONTAINER_IMAGE} /storage/docker_process.sh)

    if [ -z "${CONTAINER_ID}" ] ; then

    echo "Cannot start container from image ${TEST_CONTAINER_IMAGE}"

    exit 1

    fi

    echo "${CONTAINER_ID}" > ${TMP_FILE}

    exit ${EXIT_CODE}

    jenkins_contianer_name

  8. After building the artifacts, add the following script to the steps to build the jenkins.

    This script supports one container for scanning. If necessary, modify the script according to your needs.

    TMP_FILE="/tmp/kics_cs_info"

    EXIT_CODE=0

    if [ ! -f "${TMP_FILE}" ] ; then

    echo "Cannot find temporary file with container ID: '${TMP_FILE}'"

    exit 1

    fi

    CONTAINER_ID=$(cat ${TMP_FILE})

    if [ -z "${CONTAINER_ID}" ] ; then

    echo "Cannot find container ID in the temporary file: '${TMP_FILE}'"

    exit 1

    fi

    echo "Start anti-virus scan for: '${CONTAINER_ID}'"

    THREATS_AMOUNT=$(kics-control --scan-container ${CONTAINER_ID}|grep 'Total detected objects'|awk '{print $5}')

    if [ "${THREATS_AMOUNT}" != "0" ] ; then

    echo "ATTENTION! ${THREATS_AMOUNT} threats detected at: '${CONTAINER_ID}'"

    EXIT_CODE=1

    else

    echo "Not threats found"

    fi

    echo "Remove container: {${CONTAINER_ID}}"

    docker kill ${CONTAINER_ID}

    docker rm -f ${CONTAINER_ID}

    rm -f ${TMP_FILE}

  9. To scan a Docker image from a repository, use the following script:

    DOCKER_FILE=https://raw.githubusercontent.com/ianmiell/simple-dockerfile/master/Dockerfile

    DOCKER_FILE_FETCHED=$$.Dockerfile

    TEST_IMAGE_NAME=test_image

    echo "Build image from ${DOCKER_FILE}"

    curl ${DOCKER_FILE} -o ${DOCKER_FILE_FETCHED}

    if [ -f ${DOCKER_FILE_FETCHED} ] ; then

    echo "Dockerfile fetched: ${DOCKER_FILE_FETCHED}"

    else

    echo "Dockerfile not fetched"

    exit 1

    fi

    docker build -f ${DOCKER_FILE_FETCHED} -t ${TEST_IMAGE_NAME}

    echo "Scan docker image"

    SCAN_RESULT=$(/opt/kaspersky/kics/bin/kics-control --scan-container ${TEST_IMAGE_NAME}*)

    echo "Scan done: "

    echo $SCAN_RESULT

  10. Save the build job.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.