Configuring integration with Jenkins CI/CD
3 July 2024
ID 271087
Configuring integration with Jenkins CI / CD consists of the following steps:
- Authorization of Jenkins CI/CD in the image registry of the Kaspersky Container Security manufacturer. To do so, on the cluster operator's workstation, prepare a Base64 hash of the authorization data by running the following command:
printf "login:password" | openssl base64 -Awhere login and password are the user name and password of an account in the image registry of the Kaspersky Container Security manufacturer.
- Authorization of Kaspersky Container Security API. To perform authorization, complete the following steps:
- Copy the API token on the My profile page.
- Specify the copied API token value in the API_TOKEN variable in the Jenkinsfile configuration file.
- Authentication of the data receipt server in CI/CD using the CA certificate of the Ingress controller. To perform authentication, in the Jenkinsfile configuration file, specify one of the following variables:
-e API_CA_CERT=${KCS_CA_CERT}means the authentication is performed, and the scanner started in CI/CD can make sure the receiving server is authentic.-e SKIP_API_SERVER_VALIDATION=truemeans authentication of the receiving server using the CA certificate of the Ingress controller is not performed.
- Creating Jenkins environment variables.
To create environment variables, add the following lines to Jenkinsfile:
- Add information about the container registry where the scanner is located as follows:
LOGIN: the name of the account in the scanner registryPASS: the password for the scanner registry - If you configure scanning for a private repository, specify the following authorization data to ensure the scanner access to an image:
COMPANY_EXT_REGISTRY_USERNAME: the name of the account in the registry of the scanned imageCOMPANY_EXT_REGISTRY_PASSWORD: the password for the registry of the image being scanned
- Add information about the container registry where the scanner is located as follows:
- Adding information to start the scanner. Information for starting the scanner that contains databases of vulnerabilities and other malicious objects is added to the Jenkinsfile configuration file in the form of a declarative or scripted pipeline.
Example of information for starting the scanner in the form of a declarative pipeline
Example of data for starting a scanner in the form of a scripted pipeline
- Generating an artifact for downloading.
You can generate an artifact for downloading in the .HTML, or .JSON format to receive the scan results. You can specify an artifact format in
--stoutas follows:pipeline {agent anystages {stage('run scanner') {steps {sh 'docker login -u ${LOGIN} -p ${PASS} company.example.com'sh 'docker run -e API_BASE_URL=https://kcs.int.company.com -e SKIP_API_SERVER_VALIDATION=true -e API_TOKEN=${API_TOKEN} -e COMPANY_EXT_REGISTRY_USERNAME=${COMPANY_EXT_REGISTRY_USERNAME} -e COMPANY_EXT_REGISTRY_PASSWORD=${COMPANY_EXT_REGISTRY_PASSWORD} company.example.com:5050/company/kcs/scanner:v1.1.1-lite jfrog.company.com/demo-kcs/bad:bad-project-test --html --stdout > result.html'}}stage('archive') {steps {archiveArtifacts artifacts: 'result.html'}}}}To generate a .JSON artifact, rewrite the
--html --stdout> result.html'line in the example above as follows:--json --stdout > result.json',and in the
archiveArtifacts artifactsline, specify the file name in the defined format: 'result.json'.Scan results can be obtained in the format you specified and can also be viewed in the Resources → CI/CD section.
