Integration with Jenkins
August 5, 2024
ID 198031
Kaspersky Industrial CyberSecurity for Linux Nodes supports integration with Jenkins. Jenkins Pipeline plug-ins can be used to scan Docker images at different stages. For example, you can scan Docker images in a repository during the development process or before publishing.
To integrate Kaspersky Industrial CyberSecurity for Linux Nodes with Jenkins:
- Install Kaspersky Industrial CyberSecurity for Linux Nodes on a Jenkins node.
- Install Docker Engine on a Jenkins node.
For details, please refer to the Docker Engine documentation.
- Grant the Kaspersky Industrial CyberSecurity for Linux Nodes administrator privileges to the Jenkins user:
kics-control --grant-role admin <
Jenkins user
name>
- Add a Jenkins user to the docker group:
sudo usermod -aG docker <
Jenkins
user name
>Usually the jenkins name is used.
- In Jenkins, create a new build job with the
test
name (New Item → Enter an item name). - Configure your project, according to your needs. It is assumed that as a result, you have an image or a started container that you need to scan.
- To start the Docker container, add the following script to the Jenkins build procedure. If you use Jenkins plug-ins or another way to start Docker containers, save the ID of the running Docker container to the file /tmp/kics_cs_info, for further scanning:
TMP_FILE="/tmp/kics_cs_info"
EXIT_CODE=0
echo "Start container from image: '${TEST_CONTAINER_IMAGE}'"
CONTAINER_ID=$(docker run -d -v /storage:/storage ${TEST_CONTAINER_IMAGE} /storage/docker_process.sh)
if [ -z "${CONTAINER_ID}" ] ; then
echo "Cannot start container from image ${TEST_CONTAINER_IMAGE}"
exit 1
fi
echo "${CONTAINER_ID}" > ${TMP_FILE}
exit ${EXIT_CODE}
- After building the artifacts, add the following script to the steps to build the jenkins.
This script supports one container for scanning. If necessary, modify the script according to your needs.
TMP_FILE="/tmp/kics_cs_info"
EXIT_CODE=0
if [ ! -f "${TMP_FILE}" ] ; then
echo "Cannot find temporary file with container ID: '${TMP_FILE}'"
exit 1
fi
CONTAINER_ID=$(cat ${TMP_FILE})
if [ -z "${CONTAINER_ID}" ] ; then
echo "Cannot find container ID in the temporary file: '${TMP_FILE}'"
exit 1
fi
echo "Start anti-virus scan for: '${CONTAINER_ID}'"
THREATS_AMOUNT=$(kics-control --scan-container ${CONTAINER_ID}|grep 'Total detected objects'|awk '{print $5}')
if [ "${THREATS_AMOUNT}" != "0" ] ; then
echo "ATTENTION! ${THREATS_AMOUNT} threats detected at: '${CONTAINER_ID}'"
EXIT_CODE=1
else
echo "Not threats found"
fi
echo "Remove container: {${CONTAINER_ID}}"
docker kill ${CONTAINER_ID}
docker rm -f ${CONTAINER_ID}
rm -f ${TMP_FILE}
- To scan a Docker image from a repository, use the following script:
DOCKER_FILE=https://raw.githubusercontent.com/ianmiell/simple-dockerfile/master/Dockerfile
DOCKER_FILE_FETCHED=$$.Dockerfile
TEST_IMAGE_NAME=test_image
echo "Build image from ${DOCKER_FILE}"
curl ${DOCKER_FILE} -o ${DOCKER_FILE_FETCHED}
if [ -f ${DOCKER_FILE_FETCHED} ] ; then
echo "Dockerfile fetched: ${DOCKER_FILE_FETCHED}"
else
echo "Dockerfile not fetched"
exit 1
fi
docker build -f ${DOCKER_FILE_FETCHED} -t ${TEST_IMAGE_NAME}
echo "Scan docker image"
SCAN_RESULT=$(/opt/kaspersky/kics/bin/kics-control --scan-container ${TEST_IMAGE_NAME}*)
echo "Scan done: "
echo $SCAN_RESULT
- Save the build job.