How Can We Help?
Carbonetes Serverless Container Scanning and Policy Compliance - Jenkins Plugin
About Carbonetes and the Plugin
Carbonetes provides comprehensive container analysis and policy evaluation as a fully managed service. Carbonetes analyzes your container images for native code vulnerabilities, software composition analysis (SCA), licenses types, software bill of materials, malwares, and secrets.
Carbonetes is integrated with Jenkins to provide complete container analysis as part of your CICD process. Imagine getting the result of the complete analysis right inside your pipeline process.
By using the plugin, you can directly trigger a complete analysis and policy evaluation and configure whether the build should be marked as failed or passed based on the policy evaluation result.
Getting Started
Prerequisites
- Carbonetes credentials - this is required, in order for the plugin to work. If you don’t have an account, registration is free!
- If your account doesn’t have a connected container registry, it is required to configure a registry before using the plugin
Installation
Install the plugin by navigating to Manage Jenkins > Manage Plugins > Available and search for “Carbonetes Serverless Container Scanning and Policy Compliance”
The plugin is available as a Freestyle Job and within a Pipeline script, see github page.
Freestyle Job Configuration
- Navigate to Jenkins New Item, click on Freestyle Job > Build Tab > Choose Carbonetes Serverless Container Scanning and Policy Compliance
- In the plugin build options,
- Registry URI - the registry URI that is configured in Carbonetes
- Carbonetes Analysis Timeout - the amount of time in seconds that the plugin will wait for the complete analysis to finish
- Fail to Build on Policy Evaluation FAIL result - if this is ticked, the result of the build will fail if the result of policy evaluation is failed. Otherwise, ignored.
- Fail to Build on Plugin Error - if this is ticked, the result of the build will fail if the plugin encountered an error. Otherwise, ignored.
- Carbonetes Engine Policy Bundle ID - upon signing in to Carbonetes, on the left sidebar, click on policy bundles. Get the policy bundle ID of your desired bundle then click the copy icon and paste it into your plugin configuration. If left empty, the plugin will use an active or default one in the list.
- Repository Name and Image Tag - the repository name and tag that the plugin will analyze. You can check all your repositories and images in your container registry.
- Carbonetes Engine Credentials - the credentials that you use to sign in to Carbonetes. (Email and password)
Pipeline Syntax
A sample snippet to use the plugin within a pipeline script. You can use the snippet generator to easily identify the plugin as a pipeline step
script { carbonetes credentialsId: 'my-credentials', engineTimeout: 500, failBuildOnPluginError: true, failBuildOnPolicyEvaluationFailResult: true, image: 'sample:latest', policyBundleID: '2ac50459-b732-b4959-b778-bd885b88d069', registryURI: '12345678910.dkr.ecr.us-west-2.amazonaws.com' }
Results of the analysis
Below shows the different results after the plugin finished checking all the known vulnerabilities of an analyzed image.
Vulnerabilities - the list of known vulnerabilities with severity criteria
Software Composition Analysis - software that is included in the image that might cause a security risk
Licenses - list of legal compliance found on each software of the analyzed image
Malware - malware found in the analyzed image
Secrets - secret data found in the analyzed image
Policy Result - the result of policy evaluation, either PASSED or FAILED
Final Action - suggested action for the build. STOP, GO, WARN