Jenkins X: Announcing CVE docker image analysis with Anchore

    Anchore provides docker image analysis for user defined acceptance policies to allow automated image validation and acceptance.

    As developers we would like to know if a change we are proposing introduces a Common Vulnerability and Exposure (CVE). As operators we would like to know what running applications are affected if a new CVE is discovered.

    Now in Jenkins X pipelines, if we find an Anchore engine service running we will add the preview and release images to be analyzed. This means we can look at any environment including previews (created from Pull Requests) to see if your application contains a CVE.

    Upgrade

    Start by checking your current Jenkins X version:

    jx version

    If your Jenkins X platform is older than 0.0.903, then first you will need to upgrade to at least 0.0.922:

    jx upgrade cli
    jx upgrade platform

    Install addon

    You can install the Anchore engine addon when you are in your Jenkins X team home environment.

    jx env dev
    jx create addon anchore

    This will install the engine in a seperate anchore namespace and create a service link in the current team home environment so our pipeline builds can add docker images to Anchore for analysis.

    Create an application

    You can now create a new quickstart:

    jx create quickstart

    List any CVEs

    Once the build has run you will be able to check for CVEs in any environment incluing previews created for pull requests.

    jx get cve --environment staging

    Demo

    Here’s a 4 minute video that demonstrates the steps above:

    Upgrading existing pipelines

    If you have an existing application pipeline and and want enable image analysis you can update your Jenkinsfile, in the preview stage after the skaffold step add the line

    sh "jx step validate --min-jx-version 1.2.36"
    sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:$PREVIEW_VERSION"

    In the master stage the add this line after the skaffold step

    sh "jx step validate --min-jx-version 1.2.36"
    sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:\$(cat VERSION)"

    For any questions please find us - we mainly hang out on Slack at #jenkins-x-dev - or see jenkins-x.io/community for other channels.

    About the Author
    James Rawlings
    James Rawlings

    James has a passion for continuous delivery and software automation in general. Continually looking at ways to help improve developers experience for the cloud. James works on the OSS project Jenkins X