Jenkins 可以使用 NeuVector Vulnerability Scanner Jenkins Plugin 对接 NeuVector 实现镜像扫描。
参考文档:https://plugins.jenkins.io/neuvector-vulnerability-scanner/
该 Plugin 支持两种扫描模式:
- Standalone 模式:若要扫描本地镜像(即 Jenkins 机器上的镜像),则必须在该镜像所在的节点上安装 Controller & Scanner。
- Controller & Scanner 模式(默认):需要在网络中安装 NeuVector 的 Controller 和 Scanner。
安装 Jenkins
参考:https://www.jenkins.io/doc/book/installing/kubernetes/#install-jenkins-with-helm-v3
1
2
3
| helm repo add jenkins https://charts.jenkins.io
helm repo update
helm -n jenkins upgrade --install jenkins jenkins/jenkins --create-namespace
|
安装配置 NeuVector Vulnerability Scanner Jenkins Plugin
在 Jenkins -> Manage Jenkins -> Plugins 中搜索并安装:
安装后,在 Jenkins -> Manage Jenkins -> System 中进行配置。
通过 Build Step 进行扫描
New Item -> Freestyle project,添加一个 Build Step:
扫描后查看报告:
通过 Pipeline 进行扫描
扫描过程会通过 dind 容器从镜像仓库拉取镜像。如果仓库使用的是 HTTPS 且为自签证书,需通过额外配置来手动信任该证书:
1
2
3
4
5
6
7
8
9
10
11
12
| cat <<EOF | kubectl apply -f -
apiVersion: v1
data:
daemon.json: |
{
"insecure-registries" : [ "0.0.0.0/0" ]
}
kind: ConfigMap
metadata:
name: dind-daemon-config
namespace: jenkins
EOF
|
Pipeline Script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| pipeline {
agent {
kubernetes {
yaml '''
apiVersion: v1
kind: Pod
spec:
volumes:
- name: docker-config
configMap:
name: dind-daemon-config
items:
- key: daemon.json
path: daemon.json
containers:
- name: dind
image: harbor.warnerchen.com/library/docker:dind
command: ["/bin/sh", "-c"]
args: ["dockerd & sleep infinity"]
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- name: docker-config
mountPath: /etc/docker/daemon.json
subPath: daemon.json
'''
}
}
stages {
stage('NV Image Scan') {
steps {
container('dind') {
script {
neuvector controllerEndpointUrlSelection: 'RKE2 Cilium NV', registrySelection: 'Harbor', repository: 'library/nginx', scanTimeout: 10, standaloneScanner: false, tag: 'mainline'
}
}
}
}
}
}
|
New Item -> Pipeline,将 Pipeline Script 配置到 Job 中:
点击执行,执行日志如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
| Started by user Jenkins Admin
[Pipeline] Start of Pipeline
[Pipeline] podTemplate
[Pipeline] {
[Pipeline] node
Created Pod: kubernetes jenkins/nv-scan---pipeline-6-3t9k4-1msqz-6v6fc
[PodInfo] jenkins/nv-scan---pipeline-6-3t9k4-1msqz-6v6fc
Container [dind] waiting [ContainerCreating] No message
Container [jnlp] waiting [ContainerCreating] No message
Pod [Pending][ContainersNotReady] containers with unready status: [dind jnlp]
[PodInfo] jenkins/nv-scan---pipeline-6-3t9k4-1msqz-6v6fc
Container [dind] waiting [ContainerCreating] No message
Container [jnlp] waiting [ContainerCreating] No message
Pod [Pending][ContainersNotReady] containers with unready status: [dind jnlp]
Agent nv-scan---pipeline-6-3t9k4-1msqz-6v6fc is provisioned from template NV_Scan_-_Pipeline_6-3t9k4-1msqz
---
apiVersion: "v1"
kind: "Pod"
metadata:
annotations:
kubernetes.jenkins.io/last-refresh: "1754536471228"
buildUrl: "http://jenkins.jenkins.svc.cluster.local:8080/job/NV%20Scan%20-%20Pipeline/6/"
runUrl: "job/NV%20Scan%20-%20Pipeline/6/"
labels:
jenkins/jenkins-jenkins-agent: "true"
jenkins/label-digest: "dddd0a0bb59643e837ebc6646acbba6748b8a41b"
jenkins/label: "NV_Scan_-_Pipeline_6-3t9k4"
kubernetes.jenkins.io/controller: "http___jenkins_jenkins_svc_cluster_local_8080x"
name: "nv-scan---pipeline-6-3t9k4-1msqz-6v6fc"
namespace: "jenkins"
spec:
containers:
- args:
- "dockerd & sleep infinity"
command:
- "/bin/sh"
- "-c"
image: "harbor.warnerchen.com/library/docker:dind"
name: "dind"
securityContext:
privileged: true
runAsUser: 0
volumeMounts:
- mountPath: "/etc/docker/daemon.json"
name: "docker-config"
subPath: "daemon.json"
- mountPath: "/home/jenkins/agent"
name: "workspace-volume"
readOnly: false
- env:
- name: "JENKINS_SECRET"
value: "********"
- name: "JENKINS_TUNNEL"
value: "jenkins-agent.jenkins.svc.cluster.local:50000"
- name: "JENKINS_AGENT_NAME"
value: "nv-scan---pipeline-6-3t9k4-1msqz-6v6fc"
- name: "REMOTING_OPTS"
value: "-noReconnectAfter 1d"
- name: "JENKINS_NAME"
value: "nv-scan---pipeline-6-3t9k4-1msqz-6v6fc"
- name: "JENKINS_AGENT_WORKDIR"
value: "/home/jenkins/agent"
- name: "JENKINS_URL"
value: "http://jenkins.jenkins.svc.cluster.local:8080/"
image: "harbor.warnerchen.com/jenkins/inbound-agent:3309.v27b_9314fd1a_4-1"
name: "jnlp"
resources:
requests:
memory: "256Mi"
cpu: "100m"
volumeMounts:
- mountPath: "/home/jenkins/agent"
name: "workspace-volume"
readOnly: false
nodeSelector:
kubernetes.io/os: "linux"
restartPolicy: "Never"
volumes:
- configMap:
items:
- key: "daemon.json"
path: "daemon.json"
name: "dind-daemon-config"
name: "docker-config"
- emptyDir:
medium: ""
name: "workspace-volume"
Running on nv-scan---pipeline-6-3t9k4-1msqz-6v6fc in /home/jenkins/agent/workspace/NV Scan - Pipeline
[Pipeline] {
[Pipeline] stage
[Pipeline] { (NV Image Scan)
[Pipeline] container
[Pipeline] {
[Pipeline] script
[Pipeline] {
[Pipeline] neuvector
Build user not found.
*************************************************************
Scanner Source Name: NeuVector Scanner on Jenkins
Build User:
Job Name: NV Scan - Pipeline
Workspace: null
Registry: Harbor
Registry URL: https://harbor.warnerchen.com
Registry Username: admin
Controller Endpoint : RKE2 Cilium NV
Controller Endpoint URL: https://neuvector-service-controller.cattle-neuvector-system.svc.cluster.local:10443
Controller Endpoint Username: admin
Repository: library/nginx
Tag: mainline
****************** NeuVector scan summary *******************
Registry URL: https://harbor.warnerchen.com, Repository: library/nginx, Tag: mainline, Total vulnerabilities: 163, High severity vulnerabilities: 64, Medium severity vulnerabilities: 99
Archiving artifacts
Archiving artifacts
Archiving artifacts
Archiving artifacts
[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // container
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // node
[Pipeline] }
[Pipeline] // podTemplate
[Pipeline] End of Pipeline
Finished: SUCCESS
|
查看扫描报告:
在 NV 中也可以查看到对应的报告:
JFrog Container Registry Subdomain 下的镜像扫描
在 Jenkins -> Manage Jenkins -> System 中添加一个 Registry:
添加 Build Step:
扫描:
